that have been renamed in the past, and that still provide
a backwards-compatible default value for their replacement.
The parameters deprecated by this change are:
- authorized_verp_clients, fallback_relay, lmtp_per_request_deadline,
+ authorized_verp_clients, fallback_relay, lmtp_per_record_deadline,
postscreen_blacklist_action, postscreen_dnsbl_ttl,
postscreen_dnsbl_whitelist_threshold,
postscreen_whitelist_interfaces,
smtpd_client_connection_limit_exceptions,
- smtp_per_request_deadline, tlsproxy_client_level,
+ smtp_per_record_deadline, tlsproxy_client_level,
tlsproxy_client_policy, virtual_maps. Files: mantools/postlink,
proto/DEPRECATION_README.html, postconf/postconf_unused.c.
tls_ffdhe_auto_groups parameters because doing this now
would make migration noisy. Files: proto/DEPRECATION_README.html,
proto/postconf.proto, postconf/postconf_unused.c.
+
+20251029
+
+ Cleanup: postconf(1) logged a few wrong deprecated parameter
+ names (Viktor Dukhovni). Sort the order of unused and
+ deprecated warnings to make test results predictable.
+ Files: proto/DEPRECATION_README.html, postconf/Makefile.in,
+ postconf/postconf_unused.c, postconf/test28.ref,
+ postconf/test29.ref, postconf/test2.ref, postconf/test57.ref,
+ postconf/test59.ref, postconf/test67.ref, postconf/test76.ref,
+ postconf/test77.ref, postconf/test78.ref, postconf/test79.ref.
+
+ Debugging: depending on OpenSSL build options, "posttls-finger
+ -L ssl-debug" will decode TLS handshake messages. Viktor
+ Dukhovni. File: posttls-finger/posttls-finger.c
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
|fallback_relay | 3.11 | - |smtp_fallback_relay |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |lmtp_per_request_deadline | 3.11 | - |lmtp_per_request_deadline |
+ |lmtp_per_record_deadline | 3.11 | - |lmtp_per_request_deadline |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
|postscreen_blacklist_action | 3.11 | - |postscreen_denylist_action |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
|smtpd_client_connection_limit_exceptions| 3.11 | - |smtpd_client_event_limit_exceptions |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |smtp_per_request_deadline | 3.11 | - |smtp_per_request_deadline |
+ |smtpd_per_record_deadline | 3.11 | - |smtpd_per_request_deadline |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |smtp_per_record_deadline | 3.11 | - |smtp_per_request_deadline |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
|tlsproxy_client_level | 3.11 | - |tlsproxy_client_security_level |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
specify "smtpd_authorized_verp_clients"
* support for parameter "fallback_relay" will be removed; instead, specify
"smtp_fallback_relay"
- * support for parameter "lmtp_per_request_deadline" will be removed; instead,
+ * support for parameter "lmtp_per_record_deadline" will be removed; instead,
specify "lmtp_per_request_deadline"
* support for parameter "postscreen_blacklist_action" will be removed;
instead, specify "postscreen_denylist_action"
instead, specify "postscreen_allowlist_interfaces"
* support for parameter "smtpd_client_connection_limit_exceptions" will be
removed; instead, specify "smtpd_client_event_limit_exceptions"
- * support for parameter "smtp_per_request_deadline" will be removed; instead,
+ * support for parameter "smtp_per_record_deadline" will be removed; instead,
specify "smtp_per_request_deadline"
* support for parameter "tlsproxy_client_level" will be removed; instead,
specify "tlsproxy_client_security_level"
align="center"> 3.11 </td> <td align="center"> - </td> <td>
<a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> </td> </tr>
-<tr> <td> <a href="#renamed"> lmtp_per_request_deadline </a> </td>
+<tr> <td> <a href="#renamed"> lmtp_per_record_deadline </a> </td>
<td align="center"> 3.11 </td> <td align="center"> - </td> <td>
<a href="postconf.5.html#lmtp_per_request_deadline">lmtp_per_request_deadline</a> </td> </tr>
</td> <td>
<a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> </td> </tr>
-<tr> <td> <a href="#renamed"> smtp_per_request_deadline </a> </td>
+<tr> <td> <a href="#renamed"> smtpd_per_record_deadline </a> </td>
+<td align="center"> 3.11 </td> <td align="center"> - </td> <td>
+<a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a> </td> </tr>
+
+<tr> <td> <a href="#renamed"> smtp_per_record_deadline </a> </td>
<td align="center"> 3.11 </td> <td align="center"> - </td> <td>
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> </td> </tr>
<li> support for parameter "<a href="postconf.5.html#fallback_relay">fallback_relay</a>" will be removed; instead,
specify "<a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a>" </li>
-<li> support for parameter "<a href="postconf.5.html#lmtp_per_request_deadline">lmtp_per_request_deadline</a>" will be
+<li> support for parameter "<a href="postconf.5.html#lmtp_per_record_deadline">lmtp_per_record_deadline</a>" will be
removed; instead, specify "<a href="postconf.5.html#lmtp_per_request_deadline">lmtp_per_request_deadline</a>" </li>
<li> support for parameter "<a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a>" will be
will be removed; instead, specify "<a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a>"
</li>
-<li> support for parameter "<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>" will be
+<li> support for parameter "<a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a>" will be
removed; instead, specify "<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>" </li>
<li> support for parameter "<a href="postconf.5.html#tlsproxy_client_level">tlsproxy_client_level</a>" will be removed;
<b>ssl-debug</b>
Turn on OpenSSL logging of the progress of the SSL hand-
- shake.
+ shake. This includes detailed output of decoded hand-
+ shake messages.
<b>ssl-handshake-packet-dump</b>
- Log hexadecimal packet dumps of the SSL handshake; for
+ Log hexadecimal packet dumps of the SSL handshake; for
experts only.
<b>ssl-session-packet-dump</b>
- Log hexadecimal packet dumps of the entire SSL session;
- only useful to those who can debug SSL protocol problems
+ Log hexadecimal packet dumps of the entire SSL session;
+ only useful to those who can debug SSL protocol problems
from hex dumps.
<b>untrusted</b>
- Logs trust chain verification problems. This is turned
- on automatically at security levels that use peer names
- signed by Certification Authorities to validate certifi-
- cates. So while this setting is recognized, you should
+ Logs trust chain verification problems. This is turned
+ on automatically at security levels that use peer names
+ signed by Certification Authorities to validate certifi-
+ cates. So while this setting is recognized, you should
never need to set it explicitly.
<b>peercert</b>
- This logs a one line summary of the remote SMTP server
+ This logs a one line summary of the remote SMTP server
certificate subject, issuer, and fingerprints.
<b>certmatch</b>
- This logs remote SMTP server certificate matching, show-
+ This logs remote SMTP server certificate matching, show-
ing the CN and each subjectAltName and which name
- matched. With DANE, logs matching of TLSA record
+ matched. With DANE, logs matching of TLSA record
trust-anchor and end-entity certificates.
- <b>cache</b> This logs session cache operations, showing whether ses-
- sion caching is effective with the remote SMTP server.
- Automatically used when reconnecting with the <b>-r</b> option;
+ <b>cache</b> This logs session cache operations, showing whether ses-
+ sion caching is effective with the remote SMTP server.
+ Automatically used when reconnecting with the <b>-r</b> option;
rarely needs to be set explicitly.
<b>verbose</b>
Enables verbose logging in the Postfix TLS driver;
includes all of peercert..cache and more.
- The default is <b>routine,certmatch</b>. After a reconnect, <b>peercert</b>,
+ The default is <b>routine,certmatch</b>. After a reconnect, <b>peercert</b>,
<b>certmatch</b> and <b>verbose</b> are automatically disabled while <b>cache</b> and
<b>summary</b> are enabled.
<b>-m</b> <i>count</i> (default: <b>5</b>)
- When the <b>-r</b> <i>delay</i> option is specified, the <b>-m</b> option determines
- the maximum number of reconnect attempts to use with a server
- behind a load balancer, to see whether connection caching is
- likely to be effective for this destination. Some MTAs don't
- expose the underlying server identity in their EHLO response;
- with these servers there will never be more than 1 reconnection
+ When the <b>-r</b> <i>delay</i> option is specified, the <b>-m</b> option determines
+ the maximum number of reconnect attempts to use with a server
+ behind a load balancer, to see whether connection caching is
+ likely to be effective for this destination. Some MTAs don't
+ expose the underlying server identity in their EHLO response;
+ with these servers there will never be more than 1 reconnection
attempt.
<b>-M</b> <i>insecure</i><b>_</b><i>mx</i><b>_</b><i>policy</i> (default: <b>dane</b>)
- The TLS policy for MX hosts with "secure" TLSA records when the
- nexthop destination security level is <b>dane</b>, but the MX record
+ The TLS policy for MX hosts with "secure" TLSA records when the
+ nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup. See the <a href="postconf.5.html">main.cf</a> documen-
tation for <a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> for details.
<b>-o</b> <i>name=value</i>
- Specify
zero or more times to override the value of the <a href="postconf.5.html">main.cf</a>
- parameter <i>name</i> with <i>value</i>. Possible use-cases include overrid-
- ing the values of TLS library parameters, or "<a href="postconf.5.html#myhostname">myhostname</a>" to
+ Specify
zero or more times to override the value of the <a href="postconf.5.html">main.cf</a>
+ parameter <i>name</i> with <i>value</i>. Possible use-cases include overrid-
+ ing the values of TLS library parameters, or "<a href="postconf.5.html#myhostname">myhostname</a>" to
configure the SMTP EHLO name sent to the remote server.
<b>-p</b> <i>protocols</i> (default: >=TLSv1)
- TLS protocols that <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a> will exclude or include.
+ TLS protocols that <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a> will exclude or include.
See <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> for details.
<b>-P</b> <i>CApath/</i> (default: none)
- The OpenSSL CApath/ directory (indexed via c_rehash(1)) for
+ The OpenSSL CApath/ directory (indexed via c_rehash(1)) for
remote SMTP server certificate verification. By default no CAp-
ath is used and no public CAs are trusted.
<b>-r</b> <i>delay</i>
- With a cacheable TLS session, disconnect and reconnect after
+ With a cacheable TLS session, disconnect and reconnect after
<i>delay</i> seconds. Report whether the session is re-used. Retry if a
- new server is encountered, up to 5 times or as specified with
- the <b>-m</b> option. By default reconnection is disabled, specify a
+ new server is encountered, up to 5 times or as specified with
+ the <b>-m</b> option. By default reconnection is disabled, specify a
positive delay to enable this behavior.
<b>-R</b> Use SRV lookup instead of MX.
<b>-s</b> <i>servername</i>
- The server name to send with the TLS Server Name Indication
- (SNI) extension. When the server has DANE TLSA records, this
- parameter is ignored and the TLSA base domain is used instead.
- Otherwise, SNI is not used by default, but can be enabled by
+ The server name to send with the TLS Server Name Indication
+ (SNI) extension. When the server has DANE TLSA records, this
+ parameter is ignored and the TLSA base domain is used instead.
+ Otherwise, SNI is not used by default, but can be enabled by
specifying the desired value with this option.
- <b>-S</b> Disable SMTP; that is, connect to an LMTP server. The default
- port for LMTP over TCP is 24. Alternative ports can specified
- by appending "<i>:servicename</i>" or ":<i>portnumber</i>" to the destination
+ <b>-S</b> Disable SMTP; that is, connect to an LMTP server. The default
+ port for LMTP over TCP is 24. Alternative ports can specified
+ by appending "<i>:servicename</i>" or ":<i>portnumber</i>" to the destination
argument.
<b>-t</b> <i>timeout</i> (default: <b>30</b>)
reading the remote server's 220 banner.
<b>-T</b> <i>timeout</i> (default: <b>30</b>)
- The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT.
+ The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT.
- <b>-v</b> Enable verbose Postfix logging. Specify more than once to
+ <b>-v</b> Enable verbose Postfix logging. Specify more than once to
increase the level of verbose logging.
- <b>-w</b> Enable outgoing TLS wrapper mode, or SUBMISSIONS/SMTPS support.
- This is typically provided on port 465 by servers that are com-
- patible with the SMTP-in-SSL protocol, rather than the STARTTLS
- protocol. The destination <i>domain</i>:<i>port</i> must of course provide
+ <b>-w</b> Enable outgoing TLS wrapper mode, or SUBMISSIONS/SMTPS support.
+ This is typically provided on port 465 by servers that are com-
+ patible with the SMTP-in-SSL protocol, rather than the STARTTLS
+ protocol. The destination <i>domain</i>:<i>port</i> must of course provide
such a service.
- <b>-x</b> Prefer <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> non-X.509 raw public key (RPK) server creden-
- tials. By default only X.509 certificates are accepted. This
+ <b>-x</b> Prefer <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> non-X.509 raw public key (RPK) server creden-
+ tials. By default only X.509 certificates are accepted. This
is analogous to setting <b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes</b> in the <a href="smtp.8.html">smtp(8)</a>
client. At the fingerprint security level, when raw public keys
- are enabled, only public key (and not certificate) fingerprints
- will be compared against the specified list of <i>match</i> arguments.
- Certificate fingerprints are fragile when raw public keys are
- solicited, the server may at some point in time start returning
+ are enabled, only public key (and not certificate) fingerprints
+ will be compared against the specified list of <i>match</i> arguments.
+ Certificate fingerprints are fragile when raw public keys are
+ solicited, the server may at some point in time start returning
only the public key.
- <b>-X</b> Enable <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> mode. This is an unsupported mode, for pro-
+ <b>-X</b> Enable <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> mode. This is an unsupported mode, for pro-
gram development only.
[<b>inet:</b>]<i>domain</i>[:<i>port</i>]
Connect via TCP to domain <i>domain</i>, port <i>port</i>. The default port is
- <b>smtp</b> (or 24 with LMTP). With SMTP an MX lookup is performed to
- resolve the domain to a host, unless the domain is enclosed in
- <b>[]</b>. If you want to connect to a specific MX host, for instance
- <i>mx1.example.com</i>, specify [<i>mx1.example.com</i>] as the destination
+ <b>smtp</b> (or 24 with LMTP). With SMTP an MX lookup is performed to
+ resolve the domain to a host, unless the domain is enclosed in
+ <b>[]</b>. If you want to connect to a specific MX host, for instance
+ <i>mx1.example.com</i>, specify [<i>mx1.example.com</i>] as the destination
and <i>example.com</i> as a <b>match</b> argument. When using DNS, the desti-
- nation domain is assumed fully qualified and no <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a>
- or search suffixes are applied; you must use fully-qualified
- names or also enable <b>native</b> host lookups (these don't support
- <b>dane</b> or <b>dane-only</b> as no DNSSEC validation information is avail-
+ nation domain is assumed fully qualified and no default domain
+ or search suffixes are applied; you must use fully-qualified
+ names or also enable <b>native</b> host lookups (these don't support
+ <b>dane</b> or <b>dane-only</b> as no DNSSEC validation information is avail-
able via <b>native</b> lookups).
<b>unix:</b><i>pathname</i>
<b>match ...</b>
With no match arguments specified, certificate peername matching
uses the compiled-in default strategies for each security level.
- If you specify one or more arguments, these will be used as the
- list of certificate or public-key digests to match for the <b>fin-</b>
+ If you specify one or more arguments, these will be used as the
+ list of certificate or public-key digests to match for the <b>fin-</b>
<b>gerprint</b> level, or as the list of DNS names to match in the cer-
tificate at the <b>verify</b> and <b>secure</b> levels. If the security level
is <b>dane</b>, or <b>dane-only</b> the match names are ignored, and <b>hostname,</b>
These synonymous values combine ssl\-expert with ssl\-session\-packet\-dump.
For experts only, and in most cases, use wireshark instead.
.IP "\fBssl\-debug\fR"
-Turn on OpenSSL logging of the progress of the SSL handshake.
+Turn on OpenSSL logging of the progress of the SSL handshake. This
+includes detailed output of decoded handshake messages.
.IP "\fBssl\-handshake\-packet\-dump\fR"
Log hexadecimal packet dumps of the SSL handshake; for experts only.
.IP "\fBssl\-session\-packet\-dump\fR"
align="center"> 3.11 </td> <td align="center"> - </td> <td>
smtp_fallback_relay </td> </tr>
-<tr> <td> <a href="#renamed"> lmtp_per_request_deadline </a> </td>
+<tr> <td> <a href="#renamed"> lmtp_per_record_deadline </a> </td>
<td align="center"> 3.11 </td> <td align="center"> - </td> <td>
lmtp_per_request_deadline </td> </tr>
</td> <td>
smtpd_client_event_limit_exceptions </td> </tr>
-<tr> <td> <a href="#renamed"> smtp_per_request_deadline </a> </td>
+<tr> <td> <a href="#renamed"> smtpd_per_record_deadline </a> </td>
+<td align="center"> 3.11 </td> <td align="center"> - </td> <td>
+smtpd_per_request_deadline </td> </tr>
+
+<tr> <td> <a href="#renamed"> smtp_per_record_deadline </a> </td>
<td align="center"> 3.11 </td> <td align="center"> - </td> <td>
smtp_per_request_deadline </td> </tr>
<li> support for parameter "fallback_relay" will be removed; instead,
specify "smtp_fallback_relay" </li>
-<li> support for parameter "lmtp_per_request_deadline" will be
+<li> support for parameter "lmtp_per_record_deadline" will be
removed; instead, specify "lmtp_per_request_deadline" </li>
<li> support for parameter "postscreen_blacklist_action" will be
will be removed; instead, specify "smtpd_client_event_limit_exceptions"
</li>
-<li> support for parameter "smtp_per_request_deadline" will be
+<li> support for parameter "smtp_per_record_deadline" will be
removed; instead, specify "smtp_per_request_deadline" </li>
<li> support for parameter "tlsproxy_client_level" will be removed;
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20251029"
+#define MAIL_RELEASE_DATE "20251030"
#define MAIL_VERSION_NUMBER "3.11"
#ifdef SNAPSHOT
config_directory=. \
authorized_verp_clients=x \
fallback_relay=x \
- lmtp_per_request_deadline=x \
+ lmtp_per_record_deadline=x \
postscreen_blacklist_action=x \
postscreen_dnsbl_ttl=x \
postscreen_dnsbl_whitelist_threshold=x \
postscreen_whitelist_interfaces=x \
smtpd_client_connection_limit_exceptions=x \
- smtp_per_request_deadline=x \
+ smtpd_per_record_deadline=x \
+ smtp_per_record_deadline=x \
tlsproxy_client_level=x \
tlsproxy_client_policy=x \
virtual_maps=x \
postconf_unused.o: ../../include/mail_params.h
postconf_unused.o: ../../include/msg.h
postconf_unused.o: ../../include/myflock.h
+postconf_unused.o: ../../include/mymalloc.h
postconf_unused.o: ../../include/name_code.h
postconf_unused.o: ../../include/sys_defs.h
postconf_unused.o: ../../include/vbuf.h
/* System library. */
#include <sys_defs.h>
+#include <string.h>
/* Utility library. */
#include <msg.h>
+#include <mymalloc.h>
#include <dict.h>
#include <vstream.h>
*/
"authorized_verp_clients", "specify \"smtpd_authorized_verp_clients\"",
"fallback_relay", "specify \"smtp_fallback_relay\"",
- "lmtp_per_request_deadline", "specify \"lmtp_per_request_deadline\"",
+ "lmtp_per_record_deadline", "specify \"lmtp_per_request_deadline\"",
"lmtp_tls_enforce_peername", "specify \"lmtp_tls_security_level\"",
"postscreen_blacklist_action", "specify \"postscreen_denylist_action\"",
"postscreen_dnsbl_ttl", "specify \"postscreen_dnsbl_max_ttl\"",
"postscreen_dnsbl_whitelist_threshold", "specify \"postscreen_dnsbl_allowlist_threshold\"",
"postscreen_whitelist_interfaces", "specify \"postscreen_allowlist_interfaces\"",
"smtpd_client_connection_limit_exceptions", "specify \"smtpd_client_event_limit_exceptions\"",
- "smtp_per_request_deadline", "specify \"smtp_per_request_deadline\"",
+ "smtpd_per_record_deadline", "specify \"smtpd_per_request_deadline\"",
+ "smtp_per_record_deadline", "specify \"smtp_per_request_deadline\"",
"smtp_tls_enforce_peername", "specify \"smtp_tls_security_level\"",
"tlsproxy_client_level", "specify \"tlsproxy_client_security_level\"",
"tlsproxy_client_policy", "specify \"tlsproxy_client_policy_maps\"",
static HTABLE *pcf_depr_param_table;
int pcf_found_deprecated;
+#define STR(x) vstring_str(x)
+
/* pcf_init_depr_params - initialize lookup table */
static void pcf_init_depr_params(void)
(void) htable_enter(pcf_depr_param_table, dp->name, (void *) dp);
}
+/* pcf_cmp_ht_key - qsort helper for ht_info pointer array */
+
+static int pcf_cmp_ht_key(const void *a, const void *b)
+{
+ HTABLE_INFO **ap = (HTABLE_INFO **) a;
+ HTABLE_INFO **bp = (HTABLE_INFO **) b;
+
+ return (strcmp(ap[0]->key, bp[0]->key));
+}
+
/* pcf_flag_unused_parameters - warn about unused parameters */
static void pcf_flag_unused_parameters(DICT *dict, const char *conf_name,
const char *param_name;
const char *param_value;
int how;
+ HTABLE *flagged;
+ VSTRING *buf;
/*
* Sanity checks.
* anywhere, or that are deprecated. Show the warning message(s) after
* the end of the stdout output.
*/
+ flagged = htable_create(1);
+ buf = vstring_alloc(100);
for (how = DICT_SEQ_FUN_FIRST;
dict->sequence(dict, how, ¶m_name, ¶m_value) == 0;
how = DICT_SEQ_FUN_NEXT) {
if (PCF_PARAM_TABLE_LOCATE(pcf_param_table, param_name) == 0
&& (local_scope == 0
|| PCF_PARAM_TABLE_LOCATE(local_scope->valid_names, param_name) == 0)) {
- vstream_fflush(VSTREAM_OUT);
if ((dp = (const PCF_DEPR_PARAM_INFO *)
htable_find(pcf_depr_param_table, param_name)) != 0) {
- msg_warn("%s/%s: support for parameter %s has been removed;"
- " instead, %s", var_config_dir, conf_name,
- param_name, dp->alternative);
+ vstring_sprintf(buf, "%s/%s: support for parameter %s"
+ " has been removed; instead, %s",
+ var_config_dir, conf_name,
+ param_name, dp->alternative);
pcf_found_deprecated = 1;
} else {
- msg_warn("%s/%s: unused parameter: %s=%s",
- var_config_dir, conf_name, param_name, param_value);
+ vstring_sprintf(buf, "%s/%s: unused parameter: %s=%s",
+ var_config_dir, conf_name, param_name, param_value);
}
+ (void) htable_enter(flagged, param_name, mystrdup(STR(buf)));
}
/*
*/
else if ((dp = (const PCF_DEPR_PARAM_INFO *)
htable_find(pcf_depr_param_table, param_name)) != 0) {
- vstream_fflush(VSTREAM_OUT);
- msg_warn("%s/%s: support for parameter \"%s\" will be removed;"
- " instead, %s", var_config_dir, conf_name,
- param_name, dp->alternative);
+ vstring_sprintf(buf, "%s/%s: support for parameter \"%s\""
+ " will be removed; instead, %s",
+ var_config_dir, conf_name,
+ param_name, dp->alternative);
pcf_found_deprecated = 1;
+ (void) htable_enter(flagged, param_name, mystrdup(STR(buf)));
}
}
+
+ /*
+ * Log flagged parameters in sorted order, for predictable results.
+ */
+ if (flagged->used > 0) {
+ HTABLE_INFO **ht_info;
+ HTABLE_INFO **ht;
+
+ vstream_fflush(VSTREAM_OUT);
+ ht_info = htable_list(flagged);
+ qsort((void *) ht_info, flagged->used, sizeof(*ht_info),
+ pcf_cmp_ht_key);
+ for (ht = ht_info; *ht; ht++)
+ msg_warn("%s", (char *) ht[0]->value);
+ myfree(ht_info);
+ }
+ htable_free(flagged, myfree);
+ vstring_free(buf);
}
/* pcf_flag_unused_main_parameters - warn about unused parameters */
config_directory = .
-./postconf: warning: ./main.cf: unused parameter: restriction_classes=foo bar
./postconf: warning: ./main.cf: unused parameter: foo=yes
+./postconf: warning: ./main.cf: unused parameter: restriction_classes=foo bar
hh_domain = whatever
yy = aap
zz = $yy
+./postconf: warning: ./main.cf: unused parameter: aa_domain=whatever
./postconf: warning: ./main.cf: unused parameter: foo_domain=bar
./postconf: warning: ./main.cf: unused parameter: xx=proxy:ldap:foo
-./postconf: warning: ./main.cf: unused parameter: aa_domain=whatever
config_directory = .
-./postconf: warning: ./main.cf: unused parameter: pgsqlfoo_domain=bar
-./postconf: warning: ./main.cf: unused parameter: sqlitefoo_domain=bar
+./postconf: warning: ./main.cf: unused parameter: ldapfoo_domain=bar
+./postconf: warning: ./main.cf: unused parameter: ldapfoo_domainx=bar
./postconf: warning: ./main.cf: unused parameter: ldapxx=proxy:ldap:ldapfoo
-./postconf: warning: ./main.cf: unused parameter: mongodbfoo_domain=bar
-./postconf: warning: ./main.cf: unused parameter: sqlitexx=proxy:sqlite:sqlitefoo
-./postconf: warning: ./main.cf: unused parameter: mysqlfoo_domain=bar
-./postconf: warning: ./main.cf: unused parameter: sqlitefoo_domainx=bar
./postconf: warning: ./main.cf: unused parameter: memcachefoo_domain=bar
-./postconf: warning: ./main.cf: unused parameter: pgsqlfoo_domainx=bar
-./postconf: warning: ./main.cf: unused parameter: mongodbfoo_domainx=bar
-./postconf: warning: ./main.cf: unused parameter: ldapfoo_domainx=bar
-./postconf: warning: ./main.cf: unused parameter: ldapfoo_domain=bar
-./postconf: warning: ./main.cf: unused parameter: memcachexx=proxy:memcache:memcachefoo
./postconf: warning: ./main.cf: unused parameter: memcachefoo_domainx=bar
+./postconf: warning: ./main.cf: unused parameter: memcachexx=proxy:memcache:memcachefoo
+./postconf: warning: ./main.cf: unused parameter: mongodbfoo_domain=bar
+./postconf: warning: ./main.cf: unused parameter: mongodbfoo_domainx=bar
+./postconf: warning: ./main.cf: unused parameter: mongodbxx=proxy:mongodb:mongodbfoo
+./postconf: warning: ./main.cf: unused parameter: mysqlfoo_domain=bar
./postconf: warning: ./main.cf: unused parameter: mysqlfoo_domainx=bar
./postconf: warning: ./main.cf: unused parameter: mysqlxx=proxy:mysql:mysqlfoo
-./postconf: warning: ./main.cf: unused parameter: mongodbxx=proxy:mongodb:mongodbfoo
+./postconf: warning: ./main.cf: unused parameter: pgsqlfoo_domain=bar
+./postconf: warning: ./main.cf: unused parameter: pgsqlfoo_domainx=bar
./postconf: warning: ./main.cf: unused parameter: pgsqlxx=proxy:pgsql:pgsqlfoo
+./postconf: warning: ./main.cf: unused parameter: sqlitefoo_domain=bar
+./postconf: warning: ./main.cf: unused parameter: sqlitefoo_domainx=bar
+./postconf: warning: ./main.cf: unused parameter: sqlitexx=proxy:sqlite:sqlitefoo
t1 = Postfix 2.11 compatible
x = x-value
y = y-value
-./postconf: warning: ./main.cf: unused parameter: t2=$t1
./postconf: warning: ./main.cf: unused parameter: foo=$bar$baz
+./postconf: warning: ./main.cf: unused parameter: t2=$t1
-o {name2=value2a value2b}
arg1a arg1b {arg2a arg2b} {arg3a arg3b}
baz unix - n n 0 0 other
-./postconf: warning: ./master.cf: unused parameter: name2=value2a value2b
./postconf: warning: ./master.cf: unused parameter: name1=value1
+./postconf: warning: ./master.cf: unused parameter: name2=value2a value2b
smtp unix n - n - - smtp
-o test2_process_name=smtp
-o test2_service_name=smtp
-./postconf: warning: ./master.cf: unused parameter: test1_service_name=$service_name
./postconf: warning: ./master.cf: unused parameter: test1_process_name=$process_name
-./postconf: warning: ./master.cf: unused parameter: test2_service_name=$service_name
+./postconf: warning: ./master.cf: unused parameter: test1_service_name=$service_name
./postconf: warning: ./master.cf: unused parameter: test2_process_name=$process_name
+./postconf: warning: ./master.cf: unused parameter: test2_service_name=$service_name
disable_dns_lookups = no
lmtp_use_tls = no
smtpd_tls_dh1024_param_file = auto
+./postconf: warning: ./main.cf: support for parameter deleted-test-only has been removed; instead, do not specify
./postconf: warning: ./main.cf: support for parameter "disable_dns_lookups" will be removed; instead, specify "smtp_dns_support_level"
./postconf: warning: ./main.cf: support for parameter "lmtp_use_tls" will be removed; instead, specify "lmtp_tls_security_level"
./postconf: warning: ./main.cf: support for parameter "smtpd_tls_dh1024_param_file" will be removed; instead, do not specify (leave at default)
-./postconf: warning: ./main.cf: support for parameter deleted-test-only has been removed; instead, do not specify
./postconf: warning: ./master.cf: support for parameter "smtp_enforce_tls" will be removed; instead, specify "smtp_tls_security_level"
./postconf: warning: See https://www.postfix.org/DEPRECATION_README.html for details
_unionmap_debug_domain = whatever
config_directory = .
header_checks = ldap:_baseline debug:ldap:_debug ${_debug}:ldap:_debugvar proxy:debug:ldap:_proxy_debug debug:proxy:ldap:_debug_proxy pipemap:{debug:ldap:_pipemap_debug} debug:pipemap:{ldap:_debug_pipemap} unionmap:{debug:ldap:_unionmap_debug} debug:unionmap:{ldap:_debug_unionmap}
-./postconf: warning: ./main.cf: unused parameter: _unused_debug_pipemap_domain=whatever
-./postconf: warning: ./main.cf: unused parameter: _unused_pipemap_debug_domain=whatever
-./postconf: warning: ./main.cf: unused parameter: _unionmap_debug_foo=whatever
-./postconf: warning: ./main.cf: unused parameter: _unused_unionmap_debug_domain=whatever
-./postconf: warning: ./main.cf: unused parameter: _unused_baseline_domain=whatever
-./postconf: warning: ./main.cf: unused parameter: _debugvar_foo=whatever
-./postconf: warning: ./main.cf: unused parameter: _unused_tables=ldap:_unused_baseline debug:ldap:_unused_debug ${_debug}:ldap:_unused_debugvar proxy:debug:ldap:_unused_proxy_debug debug:proxy:ldap:_unused_debug_proxy pipemap:{debug:ldap:_unused_pipemap_debug} debug:pipemap:{ldap:_unused_debug_pipemap} unionmap:{debug:ldap:_unused_unionmap_debug} debug:unionmap:{ldap:_unused_debug_unionmap}
-./postconf: warning: ./main.cf: unused parameter: _debug_pipemap_foo=whatever
+./postconf: warning: ./main.cf: unused parameter: _baseline_foo=whatever
./postconf: warning: ./main.cf: unused parameter: _debug_foo=whatever
-./postconf: warning: ./main.cf: unused parameter: _pipemap_debug_foo=whatever
-./postconf: warning: ./main.cf: unused parameter: _unused_debug_domain=whatever
-./postconf: warning: ./main.cf: unused parameter: _unused_proxy_debug_domain=whatever
+./postconf: warning: ./main.cf: unused parameter: _debug_pipemap_foo=whatever
./postconf: warning: ./main.cf: unused parameter: _debug_proxy_foo=whatever
-./postconf: warning: ./main.cf: unused parameter: _unused_debugvar_domain=whatever
-./postconf: warning: ./main.cf: unused parameter: _unused_debug_unionmap_domain=whatever
-./postconf: warning: ./main.cf: unused parameter: _baseline_foo=whatever
-./postconf: warning: ./main.cf: unused parameter: _proxy_debug_foo=whatever
./postconf: warning: ./main.cf: unused parameter: _debug_unionmap_foo=whatever
+./postconf: warning: ./main.cf: unused parameter: _debugvar_foo=whatever
+./postconf: warning: ./main.cf: unused parameter: _pipemap_debug_foo=whatever
+./postconf: warning: ./main.cf: unused parameter: _proxy_debug_foo=whatever
+./postconf: warning: ./main.cf: unused parameter: _unionmap_debug_foo=whatever
+./postconf: warning: ./main.cf: unused parameter: _unused_baseline_domain=whatever
+./postconf: warning: ./main.cf: unused parameter: _unused_debug_domain=whatever
+./postconf: warning: ./main.cf: unused parameter: _unused_debug_pipemap_domain=whatever
./postconf: warning: ./main.cf: unused parameter: _unused_debug_proxy_domain=whatever
+./postconf: warning: ./main.cf: unused parameter: _unused_debug_unionmap_domain=whatever
+./postconf: warning: ./main.cf: unused parameter: _unused_debugvar_domain=whatever
+./postconf: warning: ./main.cf: unused parameter: _unused_pipemap_debug_domain=whatever
+./postconf: warning: ./main.cf: unused parameter: _unused_proxy_debug_domain=whatever
+./postconf: warning: ./main.cf: unused parameter: _unused_tables=ldap:_unused_baseline debug:ldap:_unused_debug ${_debug}:ldap:_unused_debugvar proxy:debug:ldap:_unused_proxy_debug debug:proxy:ldap:_unused_debug_proxy pipemap:{debug:ldap:_unused_pipemap_debug} debug:pipemap:{ldap:_unused_debug_pipemap} unionmap:{debug:ldap:_unused_unionmap_debug} debug:unionmap:{ldap:_unused_debug_unionmap}
+./postconf: warning: ./main.cf: unused parameter: _unused_unionmap_debug_domain=whatever
config_directory = .
lmtp_tls_enforce_peername = yes
smtp_tls_enforce_peername = yes
-./postconf: warning: ./main.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level"
./postconf: warning: ./main.cf: support for parameter "lmtp_tls_enforce_peername" will be removed; instead, specify "lmtp_tls_security_level"
-./postconf: warning: ./master.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level"
+./postconf: warning: ./main.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level"
./postconf: warning: ./master.cf: support for parameter "lmtp_tls_enforce_peername" will be removed; instead, specify "lmtp_tls_security_level"
+./postconf: warning: ./master.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level"
./postconf: warning: See https://www.postfix.org/DEPRECATION_README.html for details
config_directory = .
fallback_relay = x
lmtp_cname_overrides_servername = x
-lmtp_per_request_deadline = x
+lmtp_per_record_deadline = x
postscreen_blacklist_action = x
postscreen_dnsbl_ttl = x
postscreen_dnsbl_whitelist_threshold = x
postscreen_whitelist_interfaces = x
smtp_cname_overrides_servername = x
-smtp_per_request_deadline = x
+smtp_per_record_deadline = x
smtpd_client_connection_limit_exceptions = x
+smtpd_per_record_deadline = x
tlsproxy_client_level = x
tlsproxy_client_policy = x
virtual_maps = x
-./postconf: warning: ./main.cf: support for parameter "lmtp_per_request_deadline" will be removed; instead, specify "lmtp_per_request_deadline"
-./postconf: warning: ./main.cf: support for parameter "tlsproxy_client_policy" will be removed; instead, specify "tlsproxy_client_policy_maps"
-./postconf: warning: ./main.cf: support for parameter "virtual_maps" will be removed; instead, specify "virtual_alias_maps"
./postconf: warning: ./main.cf: support for parameter "authorized_verp_clients" will be removed; instead, specify "smtpd_authorized_verp_clients"
-./postconf: warning: ./main.cf: support for parameter "tlsproxy_client_level" will be removed; instead, specify "tlsproxy_client_security_level"
-./postconf: warning: ./main.cf: support for parameter "smtpd_client_connection_limit_exceptions" will be removed; instead, specify "smtpd_client_event_limit_exceptions"
-./postconf: warning: ./main.cf: support for parameter "postscreen_whitelist_interfaces" will be removed; instead, specify "postscreen_allowlist_interfaces"
./postconf: warning: ./main.cf: support for parameter "fallback_relay" will be removed; instead, specify "smtp_fallback_relay"
-./postconf: warning: ./main.cf: support for parameter "postscreen_dnsbl_ttl" will be removed; instead, specify "postscreen_dnsbl_max_ttl"
./postconf: warning: ./main.cf: support for parameter "lmtp_cname_overrides_servername" will be removed; instead, do not specify
-./postconf: warning: ./main.cf: support for parameter "smtp_cname_overrides_servername" will be removed; instead, do not specify
-./postconf: warning: ./main.cf: support for parameter "postscreen_dnsbl_whitelist_threshold" will be removed; instead, specify "postscreen_dnsbl_allowlist_threshold"
+./postconf: warning: ./main.cf: support for parameter "lmtp_per_record_deadline" will be removed; instead, specify "lmtp_per_request_deadline"
./postconf: warning: ./main.cf: support for parameter "postscreen_blacklist_action" will be removed; instead, specify "postscreen_denylist_action"
-./postconf: warning: ./main.cf: support for parameter "smtp_per_request_deadline" will be removed; instead, specify "smtp_per_request_deadline"
-./postconf: warning: ./master.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level"
+./postconf: warning: ./main.cf: support for parameter "postscreen_dnsbl_ttl" will be removed; instead, specify "postscreen_dnsbl_max_ttl"
+./postconf: warning: ./main.cf: support for parameter "postscreen_dnsbl_whitelist_threshold" will be removed; instead, specify "postscreen_dnsbl_allowlist_threshold"
+./postconf: warning: ./main.cf: support for parameter "postscreen_whitelist_interfaces" will be removed; instead, specify "postscreen_allowlist_interfaces"
+./postconf: warning: ./main.cf: support for parameter "smtp_cname_overrides_servername" will be removed; instead, do not specify
+./postconf: warning: ./main.cf: support for parameter "smtp_per_record_deadline" will be removed; instead, specify "smtp_per_request_deadline"
+./postconf: warning: ./main.cf: support for parameter "smtpd_client_connection_limit_exceptions" will be removed; instead, specify "smtpd_client_event_limit_exceptions"
+./postconf: warning: ./main.cf: support for parameter "smtpd_per_record_deadline" will be removed; instead, specify "smtpd_per_request_deadline"
+./postconf: warning: ./main.cf: support for parameter "tlsproxy_client_level" will be removed; instead, specify "tlsproxy_client_security_level"
+./postconf: warning: ./main.cf: support for parameter "tlsproxy_client_policy" will be removed; instead, specify "tlsproxy_client_policy_maps"
+./postconf: warning: ./main.cf: support for parameter "virtual_maps" will be removed; instead, specify "virtual_alias_maps"
./postconf: warning: ./master.cf: support for parameter "lmtp_tls_enforce_peername" will be removed; instead, specify "lmtp_tls_security_level"
+./postconf: warning: ./master.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level"
./postconf: warning: See https://www.postfix.org/DEPRECATION_README.html for details
/* These synonymous values combine ssl-expert with ssl-session-packet-dump.
/* For experts only, and in most cases, use wireshark instead.
/* .IP "\fBssl-debug\fR"
-/* Turn on OpenSSL logging of the progress of the SSL handshake.
+/* Turn on OpenSSL logging of the progress of the SSL handshake. This
+/* includes detailed output of decoded handshake messages.
/* .IP "\fBssl-handshake-packet-dump\fR"
/* Log hexadecimal packet dumps of the SSL handshake; for experts only.
/* .IP "\fBssl-session-packet-dump\fR"
exit(1);
}
+
+#ifndef OPENSSL_NO_SSL_TRACE
+static void ssl_trace(int write_p, int version, int content_type,
+ const void *buf, size_t msglen, SSL *ssl, void *arg)
+{
+ BIO *out = (BIO *) arg;
+
+ /* Avoid mixing BIO and vstream/stdio buffers */
+ vstream_fflush(VSTREAM_OUT);
+ SSL_trace(write_p, version, content_type, buf, msglen, ssl, out);
+ (void) BIO_flush(out);
+}
+
+#endif
+
+
/* tls_init - initialize application TLS library context */
static void tls_init(STATE *state)
CAfile = state->CAfile,
CApath = state->CApath,
mdalg = state->mdalg);
+#ifndef OPENSSL_NO_SSL_TRACE
+ if (state->tls_ctx != 0
+ && (state->log_mask & TLS_LOG_DEBUG)) {
+ SSL_CTX_set_msg_callback(state->tls_ctx->ssl_ctx, ssl_trace);
+ SSL_CTX_set_msg_callback_arg(state->tls_ctx->ssl_ctx, state->tls_bio);
+ }
+#endif
#endif
}
warn_compat_break_smtp_tls_fpt_dgst = 0;
else
state.mdalg = mystrdup(var_smtp_tls_fpt_dgst);
+ state.tls_bio = BIO_new_fp(stdout, BIO_NOCLOSE);
/*
* We first call tls_init(), which ultimately calls SSL_library_init(),
msg_warn("DANE TLS support is not available, resorting to \"secure\"");
state.level = TLS_LEV_SECURE;
}
- state.tls_bio = 0;
- if (state.print_trust)
- state.tls_bio = BIO_new_fp(stdout, BIO_NOCLOSE);
#endif
/* Enforce consistent operation of different Postfix parts. */
projects / thirdparty / postfix.git / commitdiff
