Feature: when expanding myhostname or mydomain in bounce
template messages, and smtputf8_enable=yes, convert ACE
(xn--mumble) labels into UTF-8. bounce/bounce_template.c.
+
+20140720
+
+ Cleanup: charset selection and content-transfer encoding
+ in bounce messages (work in progress). The proper solution
+ requires separate handling of the returned-message MIME
+ properties and of the (boiler-plate text, delivery status)
+ MIME properties. File: bounce/bounce_notify_util.c.
+
+20140722
+
+ Documentation: the TLS_README example for creating a
+ self-signed certificate was incomplete. Also, added
+ "smtp_tls_loglevel = 1" and "smtpd_tls_loglevel = 1" settings
+ to cookbook recipes, so that TLS handshake results will be
+ logged. Viktor Dukhovni. File: proto/TLS_README.html.
+
+ Documentation: update Perl MIME::Base64 example. File:
+ proto/SASL_README.html.
+
+ Documentation: update pointer to Bennett Todd's SMTP proxy.
+ File: proto/SMTPD_PROXY_README.html.
+
+20140725
+
+ Documentation: describe what features are controlled by
+ parent_domain_matches_subdomains, both in the description
+ of the controlled feature, and in the description of
+ parent_domain_matches_subdomains. File: proto/postconf.proto.
+
+ Cleanup: smtpd_client_event_limit_exceptions is now controlled
+ with parent_domain_matches_subdomains, with backwards-compatible
+ default (specify .example.com in order to match subdomains
+ of example.com). Files: smtpd/smtpd.c.
+
+ Documentation: SMTPUTF8_README, an updated version of text
+ that was originally part of the RELEASE_NOTES file. Files:
+ proto/SMTPUTF8_README.html, proto/Makefile.in, html/index.html.
+
* TLS_README: TLS Encryption and authentication
* FORWARD_SECRECY_README: TLS Forward Secrecy
* IPV6_README: IP Version 6 Support
- * MULTI_INSTANCE_README: Multiple-instance management
+ * IPV6_README: IP Version 6 Support
+ * SMTPUTF8_README: SMTPUTF8 support
* INSTALL: Installation from source code
P\bPr\bro\bob\bbl\ble\bem\bm s\bso\bol\blv\bvi\bin\bng\bg
The m\bmm\bme\ben\bnc\bco\bod\bde\be command is part of the metamail software.
- * Using Perl M\bMI\bIM\bME\bE:\b::\b:B\bBa\bas\bse\be6\b64\b4:
+ * Using Perl M\bMI\bIM\bME\bE:\b::\b:B\bBa\bas\bse\be6\b64\b4 (from http://www.cpan.org/):
% p\bpe\ber\brl\bl -\b-M\bMM\bMI\bIM\bME\bE:\b::\b:B\bBa\bas\bse\be6\b64\b4 -\b-e\be \\b\
'\b'p\bpr\bri\bin\bnt\bt e\ben\bnc\bco\bod\bde\be_\b_b\bba\bas\bse\be6\b64\b4(\b("\b"\\b\0\b0u\bus\bse\ber\brn\bna\bam\bme\be\\b\0\b0p\bpa\bas\bss\bsw\bwo\bor\brd\bd"\b")\b);\b;'\b'
- MIME::Base64 is available from http://www.cpan.org/.
+ If the username or password contain "@", you must specify "\@".
* Using the g\bge\ben\bn-\b-a\bau\but\bth\bh script:
The content filter itself is not described here. You can use any filter that is
SMTP enabled. For non-SMTP capable content filtering software, Bennett Todd's
-SMTP proxy implements a nice PERL/SMTP content filtering framework. See: http:/
-/bent.latency.net/smtpprox/.
+SMTP proxy implements a nice Perl-based framework. See: http://
+bent.latency.net/smtpprox/ or https://github.com/jnorell/smtpprox.
Postfix
Postfix filter on SMTP server Postfix Postfix
--- /dev/null
+ P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bPU\bUT\bTF\bF8\b8 s\bsu\bup\bpp\bpo\bor\brt\bt
+
+-------------------------------------------------------------------------------
+
+O\bOv\bve\ber\brv\bvi\bie\bew\bw
+
+This document describes Postfix support for Email Address Internationalization
+(EAI) as defined in RFC 6531 (SMTPUTF8 extension), RFC 6532 (Internationalized
+email headers) and RFC 6533 (Internationalized delivery status notifications).
+Introduced with Postfix version 2.12, this fully supports UTF-8 email addresses
+and UTF-8 message header values.
+
+Topics covered in this document:
+
+ * Enabling Postfix SMTPUTF8 support
+ * Using Postfix SMTPUTF8 support
+ * SMTPUTF8 autodetection
+ * Limitations of the current implementation
+ * Compatibility with pre-SMTPUTF8 environments
+ * Building with/without SMTPUTF8 support
+ * Credits
+
+E\bEn\bna\bab\bbl\bli\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bPU\bUT\bTF\bF8\b8 s\bsu\bup\bpp\bpo\bor\brt\bt
+
+By default, Postfix SMTPUTF8 support is disabled. Thus, Postfix should work
+exactly as it has worked before SMTPUTF8 support was implemented.
+
+Before turning on SMTPUTF8 support in Postfix, you need to verify that the rest
+of your email infrastructure can handle UTF-8 email addresses and message
+header values, including SMTPUTF8 protocol support in SMTP-based content
+filters (Amavisd), LMTP servers (Dovecot), and down-stream SMTP servers.
+
+SMTPUTF8 support is enabled by setting the smtputf8_enable parameter in
+main.cf:
+
+ # postconf "smtputf8_enable = yes"
+ # postfix reload
+
+With SMTPUTF8 support enabled, Postfix changes behavior as follows:
+
+ * UTF-8 is permitted in the myorigin parameter value. However, the myhostname
+ and mydomain parameters must specify ASCII-only domain names. This
+ limitation may be removed later.
+
+ * The Postfix SMTP server announces SMTPUTF8 support in the EHLO response.
+
+ 220 server.example.com ESMTP Postfix
+ EHLO client.example.com
+ 250-server.example.com
+ 250-PIPELINING
+ 250-SIZE 10240000
+ 250-VRFY
+ 250-ETRN
+ 250-STARTTLS
+ 250-AUTH PLAIN LOGIN
+ 250-ENHANCEDSTATUSCODES
+ 250-8BITMIME
+ 250-DSN
+ 250 SMTPUTF8
+
+ * The Postfix SMTP server accepts the SMTPUTF8 request in MAIL FROM and VRFY
+ commands.
+
+ MAIL FROM:<address> SMTPUTF8 ...
+
+ VRFY address SMTPUTF8
+
+ * The Postfix SMTP client may issue the SMTPUTF8 request in MAIL FROM
+ commands.
+
+ * Postfix already permitted UTF-8 in message header values and in address
+ localparts. This does not change.
+
+ * The Postfix SMTP server accepts UTF-8 in email address domains, but only
+ after the remote SMTP client client issues the SMTPUTF8 request in MAIL
+ FROM or VRFY commands.
+
+U\bUs\bsi\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bPU\bUT\bTF\bF8\b8 s\bsu\bup\bpp\bpo\bor\brt\bt
+
+After Postfix SMTPUTF8 support is turned on, Postfix behavior will depend on 1)
+whether a remote SMTP client requests SMTPUTF8 support, 2) the presence of UTF-
+8 content in the message envelope and headers, and 3) whether a down-stream
+SMTP (or LMTP) server announces SMTPUTF8 support.
+
+ * When the Postfix SMTP server receives a message WITHOUT the SMTPUTF8
+ request, Postfix handles the message as it has always done (at least that
+ is the default, see autodetection below). Specifically, the Postfix SMTP
+ server does not accept UTF-8 in the envelope sender domain name or envelope
+ recipient domain name, and the Postfix SMTP client does not issue the
+ SMTPUTF8 request when delivering that message an SMTP or LMTP server that
+ announces SMTPUTF8 support (again, that is the default). Postfix will
+ accept UTF-8 in message header values and in the localpart of envelope
+ sender and recipient addresses, because it has always done that.
+
+ * When the Postfix SMTP server receives a message WITH the SMTPUTF8 request,
+ Postfix will issue the SMTPUTF8 request when delivering that message to an
+ SMTP or LMTP server that announces SMTPUTF8 support. This is not
+ configurable.
+
+ * When a message is received with the SMTPUTF8 request, Postfix will deliver
+ the message to a non-SMTPUTF8 SMTP or LMTP server ONLY if:
+
+ o No message header value contains UTF-8.
+
+ o The envelope sender address contains no UTF-8,
+
+ o No envelope recipient address for that specific SMTP/LMTP delivery
+ transaction contains UTF-8.
+
+ NOTE: Recipients in other email delivery transactions for that same
+ message may still contain UTF-8.
+
+ Otherwise, Postfix will return the recipient(s) for that email delivery
+ transaction as undeliverable. The delivery status notification message will
+ be an SMTPUTF8 message. It will therefore be subject to the same
+ restrictions as email that is received with the SMTPUTF8 request.
+
+ * When the Postfix SMTP server receives a message with the SMTPUTF8 request,
+ that request also applies after the message is forwarded via a virtual or
+ local alias, or $HOME/.forward file.
+
+S\bSM\bMT\bTP\bPU\bUT\bTF\bF8\b8 a\bau\but\bto\bod\bde\bet\bte\bec\bct\bti\bio\bon\bn
+
+This section applies only to systems that have SMTPUTF8 support turned on
+(smtputf8_enable = yes).
+
+For compatibility with pre-SMTPUTF8 environments, Postfix does not
+automatically set the "SMTPUTF8 requested" flag on messages from non-SMTPUTF8
+clients that contain an UTF-8 header value or UTF-8 address localpart. This
+would make such messages undeliverable to non-SMTPUTF8 servers, and could be a
+barrier to SMTPUTF8 adoption.
+
+By default, Postfix sets the "SMTPUTF8 requested" flag only on address
+verification probes and on Postfix sendmail submissions that contain UTF-8 in
+the sender address, UTF-8 in a recipient address, or UTF-8 in a message header
+value.
+
+ /etc/postfix/main.cf:
+ smtputf8_autodetect_classes = sendmail, verify
+
+However, if you have a non-ASCII myorigin or mydomain setting, or if you have a
+configuration that introduces UTF-8 addresses with virtual aliases, canonical
+mappings, or BCC mappings, then you may have to apply SMTPUTF8 autodetection to
+all email:
+
+ /etc/postfix/main.cf:
+ smtputf8_autodetect_classes = all
+
+This will, of course, also flag email that was received without SMTPUTF8
+request, but that contains UTF-8 in a sender address localpart, receiver
+address localpart, or message header value. Such email was not standards-
+compliant, but Postfix would have delivered it if SMTPUTF8 support was
+disabled.
+
+L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs o\bof\bf t\bth\bhe\be c\bcu\bur\brr\bre\ben\bnt\bt i\bim\bmp\bpl\ble\bem\bme\ben\bnt\bta\bat\bti\bio\bon\bn
+
+"Internationalized" domain names can appear in two forms: the UTF-8 form, and
+the ASCII (xn--mumble) form.
+
+N\bNo\bo c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bse\bet\bt c\bca\ban\bno\bon\bni\bic\bca\bal\bli\biz\bza\bat\bti\bio\bon\bn f\bfo\bor\br n\bno\bon\bn-\b-A\bAS\bSC\bCI\bII\bI d\bdo\bom\bma\bai\bin\bn n\bna\bam\bme\bes\bs.\b.
+
+Postfix currently does not translate domain names from UTF-8 into ASCII (or
+ASCII into UTF-8) before looking up the domain name in mydestination,
+relay_domains, access tables, etc., before logging the domain name, or before
+using the domain name in a policy daemon or Milter request. You will have to
+configure both UTF-8 and ASCII forms in Postfix configuration files; and both
+forms will have to be handled by logfile tools, policy daemons and Milters.
+
+N\bNo\bo c\bca\bas\bse\be c\bca\ban\bno\bon\bni\bic\bca\bal\bli\biz\bza\bat\bti\bio\bon\bn f\bfo\bor\br n\bno\bon\bn-\b-A\bAS\bSC\bCI\bII\bI c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs.\b.
+
+Postfix currently does not case-fold non-ASCII characters when looking up an
+"Internationalized" domain name in mydestination, relay_domains, access maps,
+etc. Some non-ASCII scripts do not distinguish between upper and lower case,
+some have different numbers of upper and lower case characters.
+
+C\bCo\bom\bmp\bpa\bat\bti\bib\bbi\bil\bli\bit\bty\by w\bwi\bit\bth\bh p\bpr\bre\be-\b-S\bSM\bMT\bTP\bPU\bUT\bTF\bF8\b8 e\ben\bnv\bvi\bir\bro\bon\bnm\bme\ben\bnt\bts\bs
+
+M\bMa\bai\bil\bli\bin\bng\bg l\bli\bis\bst\bts\bs w\bwi\bit\bth\bh U\bUT\bTF\bF-\b-8\b8 a\ban\bnd\bd n\bno\bon\bn-\b-U\bUT\bTF\bF-\b-8\b8 s\bsu\bub\bbs\bsc\bcr\bri\bib\bbe\ber\brs\bs
+
+With Postfix, there is no need to split mailing lists into UTF-8 and non-UTF-
+8 members. Postfix will try to deliver the non-UTF8 subscribers over
+"traditional" non-SMTPUTF8 sessions, as long as the message has an ASCII
+envelope sender address and all-ASCII header values. The mailing list manager
+will have to apply RFC 2047 encoding to satisfy that last condition.
+
+P\bPr\bre\be-\b-e\bex\bxi\bis\bst\bti\bin\bng\bg n\bno\bon\bn-\b-A\bAS\bSC\bCI\bII\bI e\bem\bma\bai\bil\bl f\bfl\blo\bow\bws\bs
+
+In pre-SMTPUTF8 environments, email with UTF-8 in address localparts (and in
+headers) works just fine because the vast majority of email software including
+Postfix is perfectly capable of handling such email, even if pre-SMTPUTF8
+standards do not support this.
+
+Therefore, when Postfix SMTPUTF8 support is turned on, Postfix must not
+suddenly start to break pre-existing email flows with UTF-8 in addres
+localparts (and in headers).
+
+Thus, Postfix continues to permit UTF-8 in address localparts (and in headers)
+in email from and to pre-SMTPUTF8 systems. At least, that is the default (see
+autodetection above).
+
+B\bBu\bui\bil\bld\bdi\bin\bng\bg w\bwi\bit\bth\bh/\b/w\bwi\bit\bth\bho\bou\but\bt S\bSM\bMT\bTP\bPU\bUT\bTF\bF8\b8 s\bsu\bup\bpp\bpo\bor\brt\bt
+
+Postfix SMTPUTF8 support requires the ICU library. Postfix automatically builds
+with SMTPUTF8 support when the library and its header files are installed. To
+force Postfix to build without SMTPUTF8, specify:
+
+ $ make makefiles -DNO_EAI ...
+
+C\bCr\bre\bed\bdi\bit\bts\bs
+
+ * Arnt Gulbrandsen posted his patch for Unicode email support on May 15,
+ 2014. This work was sponsored by CNNIC.
+
+ * Wietse integrated Arnt Gulbrandsen's code and released Postfix with
+ SMTPUTF8 support on July 15, 2014.
+
-x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
postconf -e \
"smtpd_tls_cert_file = ${cert}" \
- "smtpd_tls_key_file = ${key}"
+ "smtpd_tls_key_file = ${key}" \
+ 'smtpd_tls_security_level = may' \
+ 'smtpd_tls_received_header = yes' \
+ 'smtpd_tls_loglevel = 1' \
+ 'smtp_tls_security_level = may' \
+ 'smtp_tls_loglevel = 1' \
+ 'smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache'
+ \
+ 'tls_random_source = dev:/dev/urandom'
+
+Note: the last command requires both single (') and double (") quotes.
+
+The postconf(1) command above enables opportunistic TLS for receiving and
+sending mail. It also enables logging of TLS connections and recording of TLS
+use in the "Received" header. TLS session caching is also enabled in the
+Postfix SMTP client. With Postfix >= 2.10, the SMTP server does not need an
+explicit session cache since session reuse is better handled via RFC 5077 TLS
+session tickets.
P\bPr\bri\biv\bva\bat\bte\be C\bCe\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be A\bAu\but\bth\bho\bor\bri\bit\bty\by
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_security_level = may
+ smtp_tls_loglevel = 1
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/foo-cert.pem
smtpd_tls_key_file = /etc/postfix/foo-key.pem
btree:/var/lib/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_security_level = may
+ smtpd_tls_loglevel = 1
B\bBu\bui\bil\bld\bdi\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx w\bwi\bit\bth\bh T\bTL\bLS\bS s\bsu\bup\bpp\bpo\bor\brt\bt
Major changes with snapshot 20140715
====================================
-Support for Internationalized Email, also known as EAI or SMTPUTF8,
-defined in RFC 6531..6533. This supports UTF-8 in SMTP/LMTP sender
-addresses, recipient addresses, and message header values. The
-implementation is based on initial work by Arnt Gulbrandsen that
-was funded by CNNIC.
+Support for Email Address Internationalization (EAI) as defined in
+RFC 6531..6533. This supports UTF-8 in SMTP/LMTP sender addresses,
+recipient addresses, and message header values. The implementation
+is based on initial work by Arnt Gulbrandsen that was funded by
+CNNIC.
-This text describes:
-- Compatibility with pre-SMTPUTF8 environments,
-- How to enable SMTPUTF8 support,
-- How to use SMTPUTF8 support,
-- SMTPUTF8 autodetection,
-- Limitations of the current implementation.
-
-Compatibility with pre-SMTPUTF8 environments
---------------------------------------------
-
-Mailing lists with UTF-8 and non-UTF-8 subscribers
-
-With Postfix, there is no need to split mailing lists into UTF-8 and
-non-UTF-8 members. Postfix will try to deliver the non-UTF8 subscribers
-over "traditional" non-SMTPUTF8 sessions, as long as the message
-has an ASCII envelope sender address and all-ASCII header values.
-The mailing list manager will have to apply RFC 2047 encoding to
-satisfy that last condition.
-
-Pre-existing non-ASCII mail flows
-
-In pre-SMTPUTF8 environments, mail with UTF-8 in address localparts
-(and in headers) works just fine because the vast majority of mail
-software including Postfix is perfectly capable of handling such
-mail, even if pre-SMTPUTF8 standards do not support this.
-
-Therefore, when Postfix SMTPUTF8 support is turned on, Postfix must
-not suddenly start to break pre-existing mail flows with UTF-8 in
-addres localparts (and in headers).
-
-Thus, Postfix continues to permit UTF-8 in address localparts (and
-in headers) in mail from and to pre-SMTPUTF8 systems. At least,
-that is the default.
-
-Enabling Postfix SMTPUTF8 support
----------------------------------
-
-By default, SMTPUTF8 support is disabled, and Postfix should work
-exactly as it has worked before.
-
-SMTPUTF8 support is enabled by setting in main.cf:
-
- smtputf8_enable = yes
-
-and by issuing the "postfix reload" command.
-
-With SMTPUTF8 support enabled, Postfix changes behavior as follows:
-
-- UTF-8 is permitted in the myorigin parameter value. However, the
- myhostname and mydomain parameters must specify ASCII-only domain
- names. This limitation may be removed later.
-
-- The Postfix SMTP server announces SMTPUTF8 support in the EHLO
- response.
-
- 250-hostname.example.com
- 250-PIPELINING
- 250-SIZE 10240000
- 250-VRFY
- 250-ETRN
- 250-STARTTLS
- 250-AUTH PLAIN LOGIN
- 250-ENHANCEDSTATUSCODES
- 250-8BITMIME
- 250-DSN
- 250 SMTPUTF8
-
-- The Postfix SMTP server accepts the SMTPUTF8 request in MAIL FROM
- and VRFY commands.
-
- MAIL FROM:<address> SMTPUTF8
- VRFY address SMTPUTF8
-
-- The Postfix SMTP client may issue the SMTPUTF8 request in MAIL FROM
- commands.
-
-- UTF-8 is supported anywhere in an email address, not just silently
- permitted in the localpart, but only after the client issues MAIL
- FROM or VRFY as shown above.
-
-- UTF-8 was already silently permitted in message header values.
-
-SMTP-based content filters (Amavisd) and LMTP servers (Dovecot)
-will need to be updated to support SMTPUTF8. A notice has been
-sent to the respective maintainers.
-
-Using Postfix SMTPUTF8 support
-------------------------------
-
-- When the Postfix SMTP server receives a message WITHOUT the
- SMTPUTF8 request, Postfix handles the message as it has always
- done (at least that is the default, see autodetection below).
- Specifically, the Postfix SMTP server does not accept UTF-8 in the
- envelope sender domain name or envelope recipient domain name,
- and the Postfix SMTP client does not issue the SMTPUTF8 request
- when delivering that message an SMTP or LMTP server that announces
- SMTPUTF8 support (again, that is the default).
-
-- When the Postfix SMTP server receives a message WITH the SMTPUTF8
- request, Postfix will issue the SMTPUTF8 request when delivering
- that message to an SMTP or LMTP server that announces SMTPUTF8
- support. This is not configurable.
-
-- When a message is received with the SMTPUTF8 request, Postfix
- will deliver the message to a non-SMTPUTF8 server ONLY if:
-
- - No message header value contains UTF-8.
-
- - The envelope sender address contains no UTF-8,
-
- - No envelope recipient address for that specific SMTP/LMTP
- delivery transaction contains UTF-8.
-
- NOTE: Recipients in other mail delivery transactions for
- that same message may still contain UTF-8.
-
- Otherwise, Postfix will return the recipient(s) for that mail
- delivery transaction as undeliverable. The delivery status
- notification message will be subject to the same restrictions
- as mail that is received with the SMTPUTF8 request.
-
-- When the Postfix SMTP server receives a message with the SMTPUTF8
- request, that request also applies after the message is forwarded
- via a virtual or local alias, or $HOME/.forward file.
-
-SMTPUTF8 autodetection
-----------------------
-
-By default, Postfix sets the "SMTPUTF8 requested" bit on address
-verification probes and on Postfix sendmail submissions that contain
-UTF-8 in the sender address, UTF-8 in a recipient address, or UTF-8
-in a message header value.
-
- smtputf8_autodetect_classes = sendmail, verify
-
-This will suffice for the vast majority of sites. It minimizes the
-chances of accidentally setting the "SMTPUTF8 requested" bit on a
-message from a non-SMTPUTF8 client, thereby making that message
-undeliverable to a non-SMTPUTF8 server as discussed above. Remember,
-once a message is flagged as "SMTPUTF8 requested", the Postfix SMTP
-client may not be able to deliver it to a non-SMTPUTF8 server.
-
-However, if you have a non-ASCII myorigin or mydomain setting, or
-if you have virtual aliases, canonical mappings, or BCC mappings
-that introduce UTF-8 addresses, then you may have to apply SMTPUTF8
-autodetection to all mail:
-
- smtputf8_autodetect_classes = all
-
-This will, of course, also flag mail that was received without
-SMTPUTF8 request, but that contains UTF-8 in a sender address
-localpart, receiver address localpart, or message header value.
-Such mail was not standards-compliant, but Postfix would have
-delivered it if SMTPUTF8 support was disabled.
-
-Limitations of Postfix SMTPUTF8 support
----------------------------------------
-
-"Internationalized" domain names can appear in two forms: the UTF-8
-form, and the ASCII (xn--mumble) form.
-
-No characterset canonicalization for non-ASCII domain names.
-
-Postfix currently does not translate domain names from UTF-8 into
-ASCII (or ASCII into UTF-8) before looking up the domain name in
-mydestination, relay_domains, access tables, etc., before logging
-the domain name, or before using the domain name in a policy daemon
-or Milter request. You will have to configure both UTF-8 and ASCII
-forms in Postfix configuration files; and both forms will have to
-be handled by logfile tools, policy daemons and Milters.
-
-No case canonicalization for non-ASCII characters.
-
-Postfix currently does not case-fold non-ASCII characters when
-looking up an "Internationalized" domain name in mydestination,
-relay_domains, access maps, etc. Some non-ASCII scripts do not
-distinguish between upper and lower case, some have different numbers
-of upper and lower case characters, and reportedly some even have
-title case in addition to upper and lower case (at this time it
-is unclear if those will ever be used in email addresses, though).
+See SMTPUTF8_README for a description of Postfix SMTPUTF8 support.
Major changes with snapshot 20140703
====================================
Table-driven case folding and case-insensitive string
comparison specifically for UTF-8.
+ The postfix-mumble@postfix.org list manager sends list mail
+ with ORCPT=rfc822;postfix-mumble-outgoing. The local
+ delivery agent drops the ORCPT when the alias has an
+ owner-alias, so what is going on here?
+
When downgrading message/global to 7bit, is quoted-printable
the appropriate encoding? Should it be base64?
<p> SMTP clients outside the SMTP server's network need a different
way to get "same network" privileges. To address this need, Postfix
-supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly RFC 2554). With
+supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a>). With
this a remote SMTP client can authenticate to the Postfix SMTP
server, and the Postfix SMTP client can authenticate to a remote
SMTP server. Once a client is authenticated, a server can give it
<p> The <strong>mmencode</strong> command is part of the metamail
software. </p>
-<li> <p> Using Perl <b>MIME::Base64</b>: </p>
+<li> <p> Using Perl <b>MIME::Base64</b> (from <a href="http://www.cpan.org/">http://www.cpan.org/</a>): </p>
<blockquote>
<pre>
</pre>
</blockquote>
-<p> MIME::Base64 is available from <a href="http://www.cpan.org/">http://www.cpan.org/</a>. </p>
+<p> If the username or password contain "@", you must specify "\@". </p>
<li> <p> Using the <b>gen-auth</b> script: </p>
<p> The content filter itself is not described here. You can use
any filter that is SMTP enabled. For non-SMTP capable content
filtering software, Bennett Todd's SMTP proxy implements a nice
-PERL/SMTP content filtering framework. See:
-<a href="http://bent.latency.net/smtpprox/">http://bent.latency.net/smtpprox/</a>. </p>
+Perl-based framework. See: <a href="http://bent.latency.net/smtpprox/">http://bent.latency.net/smtpprox/</a> or
+https://github.com/jnorell/smtpprox.</p>
<blockquote>
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix SMTPUTF8 support</title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">
+Postfix SMTPUTF8 support
+</h1>
+
+<hr>
+
+<h2> Overview </h2>
+
+<p> This document describes Postfix support for Email Address
+Internationalization (EAI) as defined in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (SMTPUTF8 extension),
+<a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized email headers) and <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized
+delivery status notifications). Introduced with Postfix version
+2.12, this fully supports UTF-8 email addresses and UTF-8 message
+header values. </p>
+
+<p> Topics covered in this document: </p>
+
+<ul>
+
+<li><a href="#enabling">Enabling Postfix SMTPUTF8 support</a>
+
+<li><a href="#using">Using Postfix SMTPUTF8 support</a>
+
+<li><a href="#detecting">SMTPUTF8 autodetection</a>
+
+<li><a href="#limitations">Limitations of the current implementation</a>
+
+<li><a href="#compatibility">Compatibility with pre-SMTPUTF8 environments</a>
+
+<li><a href="#building">Building with/without SMTPUTF8 support</a>
+
+<li><a href="#credits">Credits</a>
+
+</ul>
+
+<h2> <a name="enabling">Enabling Postfix SMTPUTF8 support</a> </h2>
+
+<p> By default, Postfix SMTPUTF8 support is disabled. Thus, Postfix
+should work exactly as it has worked before SMTPUTF8 support was
+implemented. </p>
+
+<p> Before turning on SMTPUTF8 support in Postfix, you need to
+verify that the rest of your email infrastructure can handle UTF-8
+email addresses and message header values, including SMTPUTF8
+protocol support in SMTP-based content filters (Amavisd), LMTP
+servers (Dovecot), and down-stream SMTP servers. </p>
+
+<p> SMTPUTF8 support is enabled by setting the <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>
+parameter in <a href="postconf.5.html">main.cf</a>:</p>
+
+<blockquote>
+<pre>
+# postconf "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes"
+# postfix reload
+</pre>
+</blockquote>
+
+<p> With SMTPUTF8 support enabled, Postfix changes behavior as follows: </p>
+
+<ul>
+
+<li> <p> UTF-8 is permitted in the <a href="postconf.5.html#myorigin">myorigin</a> parameter value. However,
+the <a href="postconf.5.html#myhostname">myhostname</a> and <a href="postconf.5.html#mydomain">mydomain</a> parameters must specify ASCII-only
+domain names. This limitation may be removed later. </p>
+
+<li> <p> The Postfix SMTP server announces SMTPUTF8 support in the
+EHLO response. </p>
+
+<pre>
+220 server.example.com ESMTP Postfix
+EHLO client.example.com
+250-server.example.com
+250-PIPELINING
+250-SIZE 10240000
+250-VRFY
+250-ETRN
+250-STARTTLS
+250-AUTH PLAIN LOGIN
+250-ENHANCEDSTATUSCODES
+250-8BITMIME
+250-DSN
+250 SMTPUTF8
+</pre>
+
+<li> <p> The Postfix SMTP server accepts the SMTPUTF8 request in
+MAIL FROM and VRFY commands. </p>
+
+<pre>
+MAIL FROM:<address> SMTPUTF8 ...
+
+VRFY address SMTPUTF8
+</pre>
+
+<li> <p> The Postfix SMTP client may issue the SMTPUTF8 request in
+MAIL FROM commands. </p>
+
+<li> <p> Postfix already permitted UTF-8 in message header values
+and in address localparts. This does not change. </p>
+
+<li> <p> The Postfix SMTP server accepts UTF-8 in email address
+domains, but only after the remote SMTP client client issues the
+SMTPUTF8 request in MAIL FROM or VRFY commands. </p>
+
+</ul>
+
+<h2> <a name="using">Using Postfix SMTPUTF8 support</a> </h2>
+
+<p> After Postfix SMTPUTF8 support is turned on, Postfix behavior
+will depend on 1) whether a remote SMTP client requests SMTPUTF8
+support, 2) the presence of UTF-8 content in the message envelope
+and headers, and 3) whether a down-stream SMTP (or LMTP) server
+announces SMTPUTF8 support. </p>
+
+<ul>
+
+<li> <p> When the Postfix SMTP server receives a message WITHOUT
+the SMTPUTF8 request, Postfix handles the message as it has always
+done (at least that is the default, see autodetection below).
+Specifically, the Postfix SMTP server does not accept UTF-8 in the
+envelope sender domain name or envelope recipient domain name, and
+the Postfix SMTP client does not issue the SMTPUTF8 request when
+delivering that message an SMTP or LMTP server that announces
+SMTPUTF8 support (again, that is the default). Postfix will accept
+UTF-8 in message header values and in the localpart of envelope
+sender and recipient addresses, because it has always done that.
+</p>
+
+<li> <p> When the Postfix SMTP server receives a message WITH the
+SMTPUTF8 request, Postfix will issue the SMTPUTF8 request when
+delivering that message to an SMTP or LMTP server that announces
+SMTPUTF8 support. This is not configurable. </p>
+
+<li> <p> When a message is received with the SMTPUTF8 request,
+Postfix will deliver the message to a non-SMTPUTF8 SMTP or LMTP
+server ONLY if: </p>
+
+ <ul>
+
+ <li> <p> No message header value contains UTF-8. </p>
+
+ <li> <p> The envelope sender address contains no UTF-8, </p>
+
+ <li> <p> No envelope recipient address for that specific
+ SMTP/LMTP delivery transaction contains UTF-8. </p>
+
+ <blockquote> <p> NOTE: Recipients in other email delivery
+ transactions for that same message may still contain UTF-8.
+ </p> </blockquote>
+
+ </ul>
+
+ <p> Otherwise, Postfix will return the recipient(s) for that
+ email delivery transaction as undeliverable. The delivery status
+ notification message will be an SMTPUTF8 message. It will therefore
+ be subject to the same restrictions as email that is received
+ with the SMTPUTF8 request. </p>
+
+<li> <p> When the Postfix SMTP server receives a message with the
+SMTPUTF8 request, that request also applies after the message is
+forwarded via a virtual or local alias, or $HOME/.forward file.
+</p>
+
+</ul>
+
+<h2> <a name="detecting">SMTPUTF8 autodetection</a> </h2>
+
+<p> This section applies only to systems that have SMTPUTF8 support
+turned on (<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes). </p>
+
+<p> For compatibility with pre-SMTPUTF8 environments, Postfix does
+not automatically set the "SMTPUTF8 requested" flag on messages
+from non-SMTPUTF8 clients that contain an UTF-8 header value or
+UTF-8 address localpart. This would make such messages undeliverable
+to non-SMTPUTF8 servers, and could be a barrier to SMTPUTF8 adoption.
+</p>
+
+<p> By default, Postfix sets the "SMTPUTF8 requested" flag only on
+address verification probes and on Postfix sendmail submissions
+that contain UTF-8 in the sender address, UTF-8 in a recipient
+address, or UTF-8 in a message header value. </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> = sendmail, verify
+</pre>
+</blockquote>
+
+<p> However, if you have a non-ASCII <a href="postconf.5.html#myorigin">myorigin</a> or <a href="postconf.5.html#mydomain">mydomain</a> setting,
+or if you have a configuration that introduces UTF-8 addresses with
+virtual aliases, canonical mappings, or BCC mappings, then you may
+have to apply SMTPUTF8 autodetection to all email: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> = all
+</pre>
+</blockquote>
+
+<p> This will, of course, also flag email that was received without
+SMTPUTF8 request, but that contains UTF-8 in a sender address
+localpart, receiver address localpart, or message header value.
+Such email was not standards-compliant, but Postfix would have
+delivered it if SMTPUTF8 support was disabled. </p>
+
+<h2> <a name="limitations">Limitations of the current implementation</a>
+</h2>
+
+<p> "Internationalized" domain names can appear in two forms: the
+UTF-8 form, and the ASCII (xn--mumble) form. </p>
+
+<h3> No characterset canonicalization for non-ASCII domain names.
+</h3>
+
+<p> Postfix currently does not translate domain names from UTF-8
+into ASCII (or ASCII into UTF-8) before looking up the domain name
+in <a href="postconf.5.html#mydestination">mydestination</a>, <a href="postconf.5.html#relay_domains">relay_domains</a>, access tables, etc., before logging
+the domain name, or before using the domain name in a policy daemon
+or Milter request. You will have to configure both UTF-8 and ASCII
+forms in Postfix configuration files; and both forms will have to
+be handled by logfile tools, policy daemons and Milters. </p>
+
+<h3> No case canonicalization for non-ASCII characters. </h3>
+
+<p> Postfix currently does not case-fold non-ASCII characters when
+looking up an "Internationalized" domain name in <a href="postconf.5.html#mydestination">mydestination</a>,
+<a href="postconf.5.html#relay_domains">relay_domains</a>, access maps, etc. Some non-ASCII scripts do not
+distinguish between upper and lower case, some have different numbers
+of upper and lower case characters. </p>
+
+<h2> <a name="compatibility">Compatibility with pre-SMTPUTF8
+environments</a> </h2>
+
+<h3> Mailing lists with UTF-8 and non-UTF-8 subscribers </h3>
+
+<p> With Postfix, there is no need to split mailing lists into UTF-8 and
+non-UTF-8 members. Postfix will try to deliver the non-UTF8 subscribers
+over "traditional" non-SMTPUTF8 sessions, as long as the message
+has an ASCII envelope sender address and all-ASCII header values.
+The mailing list manager will have to apply <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a> encoding to
+satisfy that last condition. </p>
+
+<h3> Pre-existing non-ASCII email flows </h3>
+
+<p> In pre-SMTPUTF8 environments, email with UTF-8 in address
+localparts (and in headers) works just fine because the vast majority
+of email software including Postfix is perfectly capable of handling
+such email, even if pre-SMTPUTF8 standards do not support this. </p>
+
+<p> Therefore, when Postfix SMTPUTF8 support is turned on, Postfix
+must not suddenly start to break pre-existing email flows with UTF-8
+in addres localparts (and in headers). </p>
+
+<p> Thus, Postfix continues to permit UTF-8 in address localparts
+(and in headers) in email from and to pre-SMTPUTF8 systems. At
+least, that is the default (see autodetection above). </p>
+
+<h2> <a name="building">Building with/without SMTPUTF8 support</a>
+</h2>
+
+<p> Postfix SMTPUTF8 support requires the ICU library. Postfix
+automatically builds with SMTPUTF8 support when the library and
+its header files are installed. To force Postfix to build without
+SMTPUTF8, specify: </p>
+
+<blockquote>
+<pre>
+$ make makefiles -DNO_EAI ...
+</pre>
+</blockquote>
+
+<h2> <a name="credits">Credits</a> </h2>
+
+<ul>
+
+<li> <p> Arnt Gulbrandsen posted his patch for Unicode email support
+on May 15, 2014. This work was sponsored by CNNIC. </p>
+
+<li> <p> Wietse integrated Arnt Gulbrandsen's code and released
+Postfix with SMTPUTF8 support on July 15, 2014. </p>
+
+</ul>
+
+</body>
+
+</html>
+
-x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
postconf -e \
"<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = ${cert}" \
- "<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = ${key}"
+ "<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = ${key}" \
+ '<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may' \
+ '<a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> = yes' \
+ '<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> = 1' \
+ '<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may' \
+ '<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> = 1' \
+ '<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> = <a href="DATABASE_README.html#types">btree</a>:${<a href="postconf.5.html#data_directory">data_directory</a>}/smtp_scache' \
+ '<a href="postconf.5.html#tls_random_source">tls_random_source</a> = dev:/dev/urandom'
</pre>
</blockquote>
+<p> Note: the last command requires both single (') and double (")
+quotes. </p>
+
+<p> The <a href="postconf.1.html">postconf(1)</a> command above enables opportunistic TLS for
+receiving and sending mail. It also enables logging of TLS connections
+and recording of TLS use in the "Received" header. TLS session
+caching is also enabled in the Postfix SMTP client. With Postfix
+≥ 2.10, the SMTP server does not need an explicit session cache
+since session reuse is better handled via <a href="http://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session
+tickets. </p>
+
<h3><a name="private-ca">Private Certificate Authority</a></h3>
<ul>
<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> =
<a href="DATABASE_README.html#types">btree</a>:/var/lib/postfix/smtp_tls_session_cache
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
+ <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> = 1
<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /etc/postfix/cacert.pem
<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/foo-cert.pem
<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/foo-key.pem
<a href="DATABASE_README.html#types">btree</a>:/var/lib/postfix/smtpd_tls_session_cache
<a href="postconf.5.html#tls_random_source">tls_random_source</a> = dev:/dev/urandom
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
+ <a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> = 1
</pre>
</blockquote>
process manager.
The record is implemented as a per-destination logfile with as contents
- the queue IDs of deferred mail. A logfile is append-only, and is trun-
+ the queue IDs of deferred mail. A logfile is append-only, and is trun‐
cated when delivery is requested for the corresponding destination. A
destination is the part on the right-hand side of the right-most <b>@</b> in
an email address.
- Per-destination logfiles of deferred mail are maintained only for eli-
+ Per-destination logfiles of deferred mail are maintained only for eli‐
gible destinations. The list of eligible destinations is specified with
the <b><a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a></b> configuration parameter, which defaults to
<b>$<a href="postconf.5.html#relay_domains">relay_domains</a></b>.
queue ID is queued for the specified destination.
<b>send_site</b> <i>sitename</i>
- Request delivery of mail that is queued for the specified desti-
+ Request delivery of mail that is queued for the specified desti‐
nation.
<b>send_file</b> <i>queueid</i>
Fast flush logfiles are truncated only after a "send" request, not when
mail is actually delivered, and therefore can accumulate outdated or
redundant data. In order to maintain sanity, "refresh" must be executed
- periodically. This can be automated with a suitable wakeup timer set-
+ periodically. This can be automated with a suitable wakeup timer set‐
ting in the <a href="master.5.html"><b>master.cf</b></a> configuration file.
Upon receipt of a request to deliver mail for an eligible destination,
more details including examples.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con‐
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> ($<a href="postconf.5.html#relay_domains">relay_domains</a>)</b>
- Optional list of destinations that are eligible for per-destina-
+ Optional list of destinations that are eligible for per-destina‐
tion logfiles with mail that is queued to those destinations.
<b><a href="postconf.5.html#fast_flush_refresh_time">fast_flush_refresh_time</a> (12h)</b>
"fast flush" logfile needs to be refreshed.
<b><a href="postconf.5.html#fast_flush_purge_time">fast_flush_purge_time</a> (7d)</b>
- The time after which an empty per-destination "fast flush" log-
+ The time after which an empty per-destination "fast flush" log‐
file is deleted.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
process will service before terminating voluntarily.
<b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' output)</b>
- What Postfix features match subdomains of "domain.tld" automati-
- cally, instead of requiring an explicit ".domain.tld" pattern.
+ A list of Postfix features where the pattern "example.com" also
+ matches subdomains of example.com, instead of requiring an
+ explicit ".example.com" pattern.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The process ID of a Postfix command or daemon process.
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- The mail system name that is prepended to the process name in
- syslog records, so that "smtpd" becomes, for example, "post-
+ The mail system name that is prepended to the process name in
+ syslog records, so that "smtpd" becomes, for example, "post‐
fix/smtpd".
<b>FILES</b>
<li> <a href="IPV6_README.html"> IP Version 6 Support </a>
-<li> <a href="MULTI_INSTANCE_README.html"> Multiple-instance management </a>
+<li> <a href="IPV6_README.html"> IP Version 6 Support </a>
+
+<li> <a href="SMTPUTF8_README.html"> SMTPUTF8 support </a>
<li> <a href="INSTALL.html"> Installation from source code </a>
patterns or "<a href="DATABASE_README.html">type:table</a>" lookup tables. The right-hand side result
from "<a href="DATABASE_README.html">type:table</a>" lookups is ignored. </p>
-<p> Pattern matching of domain names is controlled by the
-<a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> parameter. </p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "<a href="postconf.5.html#debug_peer_list">debug_peer_list</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
+parameter value. </p>
<p>
Examples:
lookup table is matched when the domain or its parent domain appears
as lookup key. </p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
+parameter value. </p>
+
<p>
Specify "<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> =" (i.e., empty) to disable the feature
altogether.
block from the list. The form "!/file/name" is supported only
in Postfix version 2.4 and later. </p>
-<p> Note: IP version 6 address information must be specified inside
+<p> Note 1: Pattern matching of domain names is controlled by the
+or absence of "<a href="postconf.5.html#mynetworks">mynetworks</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
+parameter value. </p>
+
+<p> Note 2: IP version 6 address information must be specified inside
<tt>[]</tt> in the <a href="postconf.5.html#mynetworks">mynetworks</a> value, and in files specified with
"/file/name". IP version 6 addresses contain the ":" character,
and would otherwise be confused with a "<a href="DATABASE_README.html">type:table</a>" pattern. </p>
(default: see "postconf -d" output)</b></DT><DD>
<p>
-What Postfix features match subdomains of "domain.tld" automatically,
-instead of requiring an explicit ".domain.tld" pattern. This is
+A list of Postfix features where the pattern "example.com" also
+matches subdomains of example.com,
+instead of requiring an explicit ".example.com" pattern. This is
planned backwards compatibility: eventually, all Postfix features
-are expected to require explicit ".domain.tld" style patterns when
+are expected to require explicit ".example.com" style patterns when
you really want to match subdomains.
</p>
+<p> The following Postfix feature names are supported. </p>
+
+<dl>
+
+<dt> Postfix version 1.0 and later</dt>
+
+<dd>
+<a href="postconf.5.html#debug_peer_list">debug_peer_list</a>,
+<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a>,
+<a href="postconf.5.html#mynetworks">mynetworks</a>,
+<a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a>,
+<a href="postconf.5.html#relay_domains">relay_domains</a>,
+<a href="postconf.5.html#transport_maps">transport_maps</a>
+</dd>
+
+<dt> Postfix version 1.1 and later</dt>
+
+<dd>
+<a href="postconf.5.html#qmqpd_authorized_clients">qmqpd_authorized_clients</a>,
+smtpd_access_maps,
+</dd>
+
+<dt> Postfix version 2.8 and later </dt>
+
+<dd>
+<a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a>
+</dd>
+
+<dt> Postfix version 2.12 and later </dt>
+
+<dd>
+<a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a>
+</dd>
+
+</dl>
+
</DD>
The parameter value syntax is the same as with the <a href="postconf.5.html#mynetworks">mynetworks</a>
parameter; note, however, that the default value is empty. </p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "<a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a>" in the
+<a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> parameter value. </p>
+
</DD>
terminate the search if the client IP address matches $<a href="postconf.5.html#mynetworks">mynetworks</a>.
Do not subject the client to any before/after 220 greeting tests.
Pass the connection immediately to a Postfix SMTP server process.
-</dd>
+<br> Pattern matching of domain names is controlled by the presence
+or absence of "<a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a>" in the
+<a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> parameter value. </dd>
<dt> <b> <a href="DATABASE_README.html">type:table</a> </b> </dt> <dd> Query the specified lookup
table. Each table lookup result is an access list, except that
in Postfix version 2.4 and later.
</p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "<a href="postconf.5.html#qmqpd_authorized_clients">qmqpd_authorized_clients</a>" in the
+<a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> parameter value. </p>
+
<p>
Example:
</p>
(default: $<a href="postconf.5.html#mydestination">mydestination</a>)</b></DT><DD>
<p> What destination domains (and subdomains thereof) this system
-will relay mail to. Subdomain matching is controlled with the
-<a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> parameter. For details about how
+will relay mail to. For details about how
the <a href="postconf.5.html#relay_domains">relay_domains</a> value is used, see the description of the
<a href="postconf.5.html#permit_auth_destination">permit_auth_destination</a> and <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> SMTP recipient
restrictions. </p>
"!/file/name" is supported only in Postfix version 2.4 and later.
</p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "<a href="postconf.5.html#relay_domains">relay_domains</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
+parameter value. </p>
+
</DD>
contain the ":" character, and would otherwise be confused with a
"<a href="DATABASE_README.html">type:table</a>" pattern. </p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "<a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a>" in the
+<a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> parameter value (postfix 2.12 and
+later). </p>
+
<p>
This feature is available in Postfix 2.2 and later.
</p>
feature with local files, run "<b>postmap /etc/postfix/transport</b>"
after making a change. </p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "<a href="postconf.5.html#transport_maps">transport_maps</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
+parameter value. </p>
+
<p> For safety reasons, as of Postfix 2.3 this feature does not
allow $number substitutions in regular expression maps. </p>
$<a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>.
<b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' output)</b>
- What Postfix features match subdomains of "domain.tld" automati‐
- cally, instead of requiring an explicit ".domain.tld" pattern.
+ A list of Postfix features where the pattern "example.com" also
+ matches subdomains of example.com, instead of requiring an
+ explicit ".example.com" pattern.
<b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b>
- Optional restrictions that the Postfix SMTP server applies in
+ Optional restrictions that the Postfix SMTP server applies in
the context of a client connection request.
<b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b>
- Require that a remote SMTP client introduces itself with the
- HELO or EHLO command before sending the MAIL command or other
+ Require that a remote SMTP client introduces itself with the
+ HELO or EHLO command before sending the MAIL command or other
commands that require EHLO negotiation.
<b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b>
- Optional restrictions that the Postfix SMTP server applies in
+ Optional restrictions that the Postfix SMTP server applies in
the context of a client HELO command.
<b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b>
- Optional restrictions that the Postfix SMTP server applies in
+ Optional restrictions that the Postfix SMTP server applies in
the context of a client MAIL FROM command.
<b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (see 'postconf -d' output)</b>
- Optional restrictions that the Postfix SMTP server applies in
- the context of a client RCPT TO command, after
+ Optional restrictions that the Postfix SMTP server applies in
+ the context of a client RCPT TO command, after
<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
<b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b>
- Optional restrictions that the Postfix SMTP server applies in
+ Optional restrictions that the Postfix SMTP server applies in
the context of a client ETRN command.
<b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b>
- Forward mail with sender-specified routing
- (user[@%!]remote[@%!]site) from untrusted clients to destina‐
+ Forward mail with sender-specified routing
+ (user[@%!]remote[@%!]site) from untrusted clients to destina‐
tions matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
<b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b>
User-defined aliases for groups of access restrictions.
<b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b><><b>)</b>
- The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables instead of
+ The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables instead of
the null sender address.
<b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b>
- Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP access feature to
+ Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP access feature to
only domains whose primary MX hosts match the listed networks.
Available in Postfix version 2.0 and later:
applies in the context of the SMTP DATA command.
<b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b>
- What characters are allowed in $name expansions of RBL reply
+ What characters are allowed in $name expansions of RBL reply
templates.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
- Request that the Postfix SMTP server rejects mail from unknown
- sender
addresses, even when no explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a>
+ Request that the Postfix SMTP server rejects mail from unknown
+ sender
addresses, even when no explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a>
access restriction is specified.
<b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b>
- Request that the Postfix SMTP server rejects mail for unknown
- recipient addresses, even when no explicit
+ Request that the Postfix SMTP server rejects mail for unknown
+ recipient addresses, even when no explicit
<a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restriction is specified.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,</b>
<b><a href="postconf.5.html#defer_unauth_destination">defer_unauth_destination</a>)</b>
Access restrictions for mail relay control that the Postfix SMTP
- server applies in the context of the RCPT TO command, before
+ server applies in the context of the RCPT TO command, before
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
<b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b>
- Postfix version 2.1 introduces sender and recipient address verifica‐
+ Postfix version 2.1 introduces sender and recipient address verifica‐
tion. This feature is implemented by sending probe email messages that
are not actually delivered. This feature is requested via the
- <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access
- restrictions. The status of verification probes is maintained by the
- <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a> for infor‐
- mation about how to configure and operate the Postfix sender/recipient
+ <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access
+ restrictions. The status of verification probes is maintained by the
+ <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a> for infor‐
+ mation about how to configure and operate the Postfix sender/recipient
address verification service.
<b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (normal: 3, overload: 1)</b>
fication request in progress.
<b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> ($<a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a>)</b>
- The sender address to use in address verification probes; prior
+ The sender address to use in address verification probes; prior
to Postfix 2.5 the default was "postmaster".
<b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b>
address is rejected by the <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction.
<b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response when a recipient
- address is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> restric‐
+ The numerical Postfix SMTP server response when a recipient
+ address is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> restric‐
tion.
Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> (450)</b>
- The numerical Postfix SMTP server response code when a sender
+ The numerical Postfix SMTP server response code when a sender
address probe fails due to a temporary error condition.
<b><a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> (450)</b>
- The numerical Postfix SMTP server response when a recipient
+ The numerical Postfix SMTP server response when a recipient
address probe fails due to a temporary error condition.
<b><a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> (empty)</b>
<a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>.
<b><a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b>
- The
Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>
+ The
Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>
fails due to a temporary error condition.
<b><a href="postconf.5.html#unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b>
- The Postfix SMTP server's action when reject_unverified_recipi‐
+ The Postfix SMTP server's action when reject_unverified_recipi‐
ent fails due to a temporary error condition.
Available with Postfix 2.9 and later:
<b><a href="postconf.5.html#address_verify_sender_ttl">address_verify_sender_ttl</a> (0s)</b>
- The time between changes in the time-dependent portion of
+ The time between changes in the time-dependent portion of
address verification probe sender addresses.
<b>ACCESS CONTROL RESPONSES</b>
map "reject" action.
<b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b>
- The numerical Postfix SMTP server response code when a remote
+ The numerical Postfix SMTP server response code when a remote
SMTP client request is rejected by the "defer" restriction.
<b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b>
- The numerical Postfix SMTP server response code when the client
- HELO or EHLO command parameter is rejected by the
+ The numerical Postfix SMTP server response code when the client
+ HELO or EHLO command parameter is rejected by the
<a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a> restriction.
<b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code when a remote
- SMTP
client request is blocked by the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>,
+ The numerical Postfix SMTP server response code when a remote
+ SMTP
client request is blocked by the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>,
<a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>, <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a>,
<a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a> restriction.
<b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b>
- The numerical Postfix SMTP server reply code when a client
- request
is rejected by the <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>,
+ The numerical Postfix SMTP server reply code when a client
+ request
is rejected by the <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>,
<a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a> restriction.
<b><a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code when a request
+ The numerical Postfix SMTP server response code when a request
is rejected by the <b><a href="postconf.5.html#reject_plaintext_session">reject_plaintext_session</a></b> restriction.
<b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code when a remote
+ The numerical Postfix SMTP server response code when a remote
SMTP client request is rejected by the "reject" restriction.
<b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code when a client
- request is rejected by the <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient
+ The numerical Postfix SMTP server response code when a client
+ request is rejected by the <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient
restriction.
<b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b>
The numerical Postfix SMTP server response code when a sender or
- recipient address is rejected by the
- <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>
or <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>
+ recipient address is rejected by the
+ <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>
or <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>
restriction.
<b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code when a client
- without valid address <=> name mapping is rejected by the
+ The numerical Postfix SMTP server response code when a client
+ without valid address <=> name mapping is rejected by the
<a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a> restriction.
<b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code when the host‐
- name specified with the HELO or EHLO command is rejected by the
+ The numerical Postfix SMTP server response code when the host‐
+ name specified with the HELO or EHLO command is rejected by the
<a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction.
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b>
- The default Postfix SMTP server response template for a request
+ The default Postfix SMTP server response template for a request
that is rejected by an RBL-based restriction.
<b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b>
- The numerical Postfix SMTP server response code when a remote
- SMTP client request is blocked by the reject_multi_recipi‐
+ The numerical Postfix SMTP server response code when a remote
+ SMTP client request is blocked by the reject_multi_recipi‐
ent_bounce restriction.
<b><a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> (empty)</b>
<b><a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> (450)</b>
The numerical Postfix SMTP server response code for an <a href="access.5.html"><b>access</b>(5)</a>
- map "defer" action, including "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" or
+ map "defer" action, including "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" or
"<a href="postconf.5.html#defer_if_reject">defer_if_reject</a>".
<b><a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a> (<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>)</b>
- The Postfix SMTP server's action when a reject-type restriction
+ The Postfix SMTP server's action when a reject-type restriction
fails due to a temporary error condition.
<b><a href="postconf.5.html#unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b>
- The Postfix SMTP server's action when reject_unknown_helo_host‐
+ The Postfix SMTP server's action when reject_unknown_helo_host‐
name fails due to an temporary error condition.
<b><a href="postconf.5.html#unknown_address_tempfail_action">unknown_address_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b>
- The Postfix SMTP server's action when
- <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>
or <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>
+ The Postfix SMTP server's action when
+ <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>
or <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>
fail due to a temporary error condition.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con‐
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con‐
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to handle a
+ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
The location of all postfix administrative commands.
<b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
- The sender address of postmaster notifications that are gener‐
+ The sender address of postmaster notifications that are gener‐
ated by the mail system.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
- The time limit for sending or receiving information over an
+ The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
- The mail system name that is displayed in Received: headers, in
+ The mail system name that is displayed in Received: headers, in
the SMTP greeting banner, and in bounced mail.
<b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
- The UNIX system account that owns the Postfix queue and most
+ The UNIX system account that owns the Postfix queue and most
Postfix daemon processes.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix daemon process
+ The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
The internet hostname of this mail system.
<b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b>
- The list of "trusted" remote SMTP clients that have more privi‐
+ The list of "trusted" remote SMTP clients that have more privi‐
leges than "strangers".
<b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
- The domain name that locally-posted mail appears to come from,
+ The domain name that locally-posted mail appears to come from,
and that locally posted mail is delivered to.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The location of the Postfix top-level queue directory.
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
- The set of characters that can separate a user name from its
- extension (example: user+foo), or a .forward file name from its
+ The set of characters that can separate a user name from its
+ extension (example: user+foo), or a .forward file name from its
extension (example: .forward+foo).
<b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
- The text that follows the 220 status code in the SMTP greeting
+ The text that follows the 220 status code in the SMTP greeting
banner.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- The mail system name that is prepended to the process name in
- syslog records, so that "smtpd" becomes, for example, "post‐
+ The mail system name that is prepended to the process name in
+ syslog records, so that "smtpd" becomes, for example, "post‐
fix/smtpd".
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b>
- List of commands that cause the Postfix SMTP server to immedi‐
+ List of commands that cause the Postfix SMTP server to immedi‐
ately terminate the session with a 221 code.
Available in Postfix version 2.5 and later:
strip source routed addresses (<i>@site,@site:user@domain</i>)
to <i>user@domain</i> form.
- <b>remote</b> Append the domain name specified with <b>$<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_re</a>-</b>
- <b><a href="postconf.5.html#remote_header_rewrite_domain">write_domain</a></b> to incomplete addresses. Otherwise the
- result is identical to that of the <b>local</b> address rewrit-
+ <b>remote</b> Append the domain name specified with <b>$remote_header_re</b>‐\b‐
+ <b>write_domain</b> to incomplete addresses. Otherwise the
+ result is identical to that of the <b>local</b> address rewrit‐
ing context. This prevents Postfix from appending the
local domain to spam from poorly written remote clients.
entry in the <a href="master.5.html"><b>master.cf</b></a> file.
<i>nexthop</i>
- The host to send to and optional delivery method informa-
+ The host to send to and optional delivery method informa‐
tion.
<i>recipient</i>
- The envelope recipient address that is passed on to <i>nex-</i>
+ The envelope recipient address that is passed on to <i>nex‐</i>
<i>thop</i>.
<i>flags</i> The address class, whether the address requires relaying,
<b><a href="postconf.5.html#default_transport">default_transport</a> (smtp)</b>
The default mail delivery transport and next-hop destination for
destinations that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
- $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mail</a>-
-
<a href="postconf.5.html#virtual_mailbox_domains">box_domains</a>, or $<a href="postconf.5.html#relay_domains">relay_domains</a>.
+ $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $virtual_mail‐
+
box_domains, or $<a href="postconf.5.html#relay_domains">relay_domains</a>.
<b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' output)</b>
- What Postfix features match subdomains of "domain.tld" automati-
- cally, instead of requiring an explicit ".domain.tld" pattern.
+ A list of Postfix features where the pattern "example.com" also
+ matches subdomains of example.com, instead of requiring an
+ explicit ".example.com" pattern.
<b><a href="postconf.5.html#relayhost">relayhost</a> (empty)</b>
- The next-hop destination of non-local mail; overrides non-local
+ The next-hop destination of non-local mail; overrides non-local
domains in recipient addresses.
<b><a href="postconf.5.html#transport_maps">transport_maps</a> (empty)</b>
- Optional lookup tables with mappings from recipient address to
+ Optional lookup tables with mappings from recipient address to
(message delivery transport, next-hop destination).
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> (empty)</b>
- A sender-dependent override for the global <a href="postconf.5.html#relayhost">relayhost</a> parameter
+ A sender-dependent override for the global <a href="postconf.5.html#relayhost">relayhost</a> parameter
setting.
Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#empty_address_relayhost_maps_lookup_key">empty_address_relayhost_maps_lookup_key</a> (</b><><b>)</b>
- The <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> search string that will be
+ The <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> search string that will be
used instead of the null sender address.
Available in Postfix version 2.7 and later:
<b><a href="postconf.5.html#empty_address_default_transport_maps_lookup_key">empty_address_default_transport_maps_lookup_key</a> (</b><><b>)</b>
- The <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> search string that
+ The <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> search string that
will be used instead of the null sender address.
<b><a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> (empty)</b>
- A
sender-dependent override for the global <a href="postconf.5.html#default_transport">default_transport</a>
+ A
sender-dependent override for the global <a href="postconf.5.html#default_transport">default_transport</a>
parameter setting.
<b>ADDRESS VERIFICATION CONTROLS</b>
- Postfix version 2.1 introduces sender and recipient address verifica-
+ Postfix version 2.1 introduces sender and recipient address verifica‐
tion. This feature is implemented by sending probe email messages that
- are not actually delivered. By default, address verification probes
- use the same route as regular mail. To override specific aspects of
+ are not actually delivered. By default, address verification probes
+ use the same route as regular mail. To override specific aspects of
message routing for address verification probes, specify one or more of
the following:
<b><a href="postconf.5.html#address_verify_local_transport">address_verify_local_transport</a> ($<a href="postconf.5.html#local_transport">local_transport</a>)</b>
- Overrides the <a href="postconf.5.html#local_transport">local_transport</a> parameter setting for address ver-
+ Overrides the <a href="postconf.5.html#local_transport">local_transport</a> parameter setting for address ver‐
ification probes.
<b><a href="postconf.5.html#address_verify_virtual_transport">address_verify_virtual_transport</a> ($<a href="postconf.5.html#virtual_transport">virtual_transport</a>)</b>
- Overrides the <a href="postconf.5.html#virtual_transport">virtual_transport</a> parameter setting for address
+ Overrides the <a href="postconf.5.html#virtual_transport">virtual_transport</a> parameter setting for address
verification probes.
<b><a href="postconf.5.html#address_verify_relay_transport">address_verify_relay_transport</a> ($<a href="postconf.5.html#relay_transport">relay_transport</a>)</b>
- Overrides the <a href="postconf.5.html#relay_transport">relay_transport</a> parameter setting for address ver-
+ Overrides the <a href="postconf.5.html#relay_transport">relay_transport</a> parameter setting for address ver‐
ification probes.
<b><a href="postconf.5.html#address_verify_default_transport">address_verify_default_transport</a> ($<a href="postconf.5.html#default_transport">default_transport</a>)</b>
- Overrides the <a href="postconf.5.html#default_transport">default_transport</a> parameter setting for address
+ Overrides the <a href="postconf.5.html#default_transport">default_transport</a> parameter setting for address
verification probes.
<b><a href="postconf.5.html#address_verify_relayhost">address_verify_relayhost</a> ($<a href="postconf.5.html#relayhost">relayhost</a>)</b>
- Overrides the <a href="postconf.5.html#relayhost">relayhost</a> parameter setting for address verifica-
+ Overrides the <a href="postconf.5.html#relayhost">relayhost</a> parameter setting for address verifica‐
tion probes.
<b><a href="postconf.5.html#address_verify_transport_maps">address_verify_transport_maps</a> ($<a href="postconf.5.html#transport_maps">transport_maps</a>)</b>
- Overrides the <a href="postconf.5.html#transport_maps">transport_maps</a> parameter setting for address veri-
+ Overrides the <a href="postconf.5.html#transport_maps">transport_maps</a> parameter setting for address veri‐
fication probes.
Available in Postfix version 2.3 and later:
- <b><a href="postconf.5.html#address_verify_sender_dependent_relayhost_maps">address_verify_sender_dependent_relayhost_maps</a> ($<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_depen</a>-</b>
- <b><a href="postconf.5.html#sender_dependent_relayhost_maps">dent_relayhost_maps</a>)</b>
- Overrides the <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> parameter setting
+ <b><a href="postconf.5.html#address_verify_sender_dependent_relayhost_maps">address_verify_sender_dependent_relayhost_maps</a> ($sender_depen</b>‐\b‐
+ <b>dent_relayhost_maps)</b>
+ Overrides the <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> parameter setting
for address verification probes.
Available in Postfix version 2.7 and later:
- <b><a href="postconf.5.html#address_verify_sender_dependent_default_transport_maps">address_verify_sender_dependent_default_transport_maps</a> ($<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_depen</a>-</b>
- <b><a href="postconf.5.html#sender_dependent_default_transport_maps">dent_default_transport_maps</a>)</b>
- Overrides the <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> parameter
+ <b><a href="postconf.5.html#address_verify_sender_dependent_default_transport_maps">address_verify_sender_dependent_default_transport_maps</a> ($sender_depen</b>‐\b‐
+ <b>dent_default_transport_maps)</b>
+ Overrides the <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> parameter
setting for address verification probes.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con‐
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to handle a
+ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#empty_address_recipient">empty_address_recipient</a> (MAILER-DAEMON)</b>
The recipient of mail addressed to the null address.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
- The time limit for sending or receiving information over an
+ The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix daemon process
+ The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
The location of the Postfix top-level queue directory.
<b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
- Display the name of the recipient table in the "User unknown"
+ Display the name of the recipient table in the "User unknown"
responses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- The mail system name that is prepended to the process name in
- syslog records, so that "smtpd" becomes, for example, "post-
+ The mail system name that is prepended to the process name in
+ syslog records, so that "smtpd" becomes, for example, "post‐
fix/smtpd".
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#helpful_warnings">helpful_warnings</a> (yes)</b>
- Log warnings about problematic configuration settings, and pro-
+ Log warnings about problematic configuration settings, and pro‐
vide helpful suggestions.
<b>SEE ALSO</b>
patterns or "type:table" lookup tables. The right-hand side result
from "type:table" lookups is ignored.
.PP
-Pattern matching of domain names is controlled by the
-parent_domain_matches_subdomains parameter.
+Pattern matching of domain names is controlled by the presence
+or absence of "debug_peer_list" in the parent_domain_matches_subdomains
+parameter value.
.PP
Examples:
.PP
lookup table is matched when the domain or its parent domain appears
as lookup key.
.PP
+Pattern matching of domain names is controlled by the presence
+or absence of "fast_flush_domains" in the parent_domain_matches_subdomains
+parameter value.
+.PP
Specify "fast_flush_domains =" (i.e., empty) to disable the feature
altogether.
.SH fast_flush_purge_time (default: 7d)
block from the list. The form "!/file/name" is supported only
in Postfix version 2.4 and later.
.PP
-Note: IP version 6 address information must be specified inside
+Note 1: Pattern matching of domain names is controlled by the
+or absence of "mynetworks" in the parent_domain_matches_subdomains
+parameter value.
+.PP
+Note 2: IP version 6 address information must be specified inside
[] in the mynetworks value, and in files specified with
"/file/name". IP version 6 addresses contain the ":" character,
and would otherwise be confused with a "type:table" pattern.
recipient_delimiter is set to "-". This feature is useful for
mailing lists.
.SH parent_domain_matches_subdomains (default: see "postconf -d" output)
-What Postfix features match subdomains of "domain.tld" automatically,
-instead of requiring an explicit ".domain.tld" pattern. This is
+A list of Postfix features where the pattern "example.com" also
+matches subdomains of example.com,
+instead of requiring an explicit ".example.com" pattern. This is
planned backwards compatibility: eventually, all Postfix features
-are expected to require explicit ".domain.tld" style patterns when
+are expected to require explicit ".example.com" style patterns when
you really want to match subdomains.
+.PP
+The following Postfix feature names are supported.
+.IP "Postfix version 1.0 and later"
+debug_peer_list,
+fast_flush_domains,
+mynetworks,
+permit_mx_backup_networks,
+relay_domains,
+transport_maps
+.br
+.IP "Postfix version 1.1 and later"
+qmqpd_authorized_clients,
+smtpd_access_maps,
+.br
+.IP "Postfix version 2.8 and later"
+postscreen_access_list
+.br
+.IP "Postfix version 2.12 and later"
+smtpd_client_event_limit_exceptions
+.br
+.br
.SH permit_mx_backup_networks (default: empty)
Restrict the use of the permit_mx_backup SMTP access feature to
only domains whose primary MX hosts match the listed networks.
The parameter value syntax is the same as with the mynetworks
parameter; note, however, that the default value is empty.
+.PP
+Pattern matching of domain names is controlled by the presence
+or absence of "permit_mx_backup_networks" in the
+parent_domain_matches_subdomains parameter value.
.SH pickup_service_name (default: pickup)
The name of the \fBpickup\fR(8) service. This service picks up local mail
submissions from the Postfix maildrop queue.
Do not subject the client to any before/after 220 greeting tests.
Pass the connection immediately to a Postfix SMTP server process.
.br
+Pattern matching of domain names is controlled by the presence
+or absence of "postscreen_access_list" in the
+parent_domain_matches_subdomains parameter value.
+.br
.IP "\fB type:table \fR"
Query the specified lookup
table. Each table lookup result is an access list, except that
exclamation point (!). The form "!/file/name" is supported only
in Postfix version 2.4 and later.
.PP
+Pattern matching of domain names is controlled by the presence
+or absence of "qmqpd_authorized_clients" in the
+parent_domain_matches_subdomains parameter value.
+.PP
Example:
.PP
.nf
This feature is available in Postfix 2.0 and later.
.SH relay_domains (default: $mydestination)
What destination domains (and subdomains thereof) this system
-will relay mail to. Subdomain matching is controlled with the
-parent_domain_matches_subdomains parameter. For details about how
+will relay mail to. For details about how
the relay_domains value is used, see the description of the
permit_auth_destination and reject_unauth_destination SMTP recipient
restrictions.
lookup table is matched when a (parent) domain appears as lookup
key. Specify "!pattern" to exclude a domain from the list. The form
"!/file/name" is supported only in Postfix version 2.4 and later.
+.PP
+Pattern matching of domain names is controlled by the presence
+or absence of "relay_domains" in the parent_domain_matches_subdomains
+parameter value.
.SH relay_domains_reject_code (default: 554)
The numerical Postfix SMTP server response code when a client
request is rejected by the reject_unauth_destination recipient
contain the ":" character, and would otherwise be confused with a
"type:table" pattern.
.PP
+Pattern matching of domain names is controlled by the presence
+or absence of "smtpd_client_event_limit_exceptions" in the
+parent_domain_matches_subdomains parameter value (postfix 2.12 and
+later).
+.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_client_message_rate_limit (default: 0)
The maximal number of message delivery requests that any client is
feature with local files, run "\fBpostmap /etc/postfix/transport\fR"
after making a change.
.PP
+Pattern matching of domain names is controlled by the presence
+or absence of "transport_maps" in the parent_domain_matches_subdomains
+parameter value.
+.PP
For safety reasons, as of Postfix 2.3 this feature does not
allow $number substitutions in regular expression maps.
.PP
The maximal number of incoming connections that a Postfix daemon
process will service before terminating voluntarily.
.IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
-What Postfix features match subdomains of "domain.tld" automatically,
-instead of requiring an explicit ".domain.tld" pattern.
+A list of Postfix features where the pattern "example.com" also
+matches subdomains of example.com,
+instead of requiring an explicit ".example.com" pattern.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
$smtpd_sender_restrictions, or wait until the ETRN command before
evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions.
.IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
-What Postfix features match subdomains of "domain.tld" automatically,
-instead of requiring an explicit ".domain.tld" pattern.
+A list of Postfix features where the pattern "example.com" also
+matches subdomains of example.com,
+instead of requiring an explicit ".example.com" pattern.
.IP "\fBsmtpd_client_restrictions (empty)\fR"
Optional restrictions that the Postfix SMTP server applies in the
context of a client connection request.
$proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains,
or $relay_domains.
.IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
-What Postfix features match subdomains of "domain.tld" automatically,
-instead of requiring an explicit ".domain.tld" pattern.
+A list of Postfix features where the pattern "example.com" also
+matches subdomains of example.com,
+instead of requiring an explicit ".example.com" pattern.
.IP "\fBrelayhost (empty)\fR"
The next-hop destination of non-local mail; overrides non-local
domains in recipient addresses.
s/(http:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
s/(ftp:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
- s/\bRFC\s*([1-9]\d*)/<a href="http:\/\/tools.ietf.org\/html\/rfc$1">$&<\/a>/;
+ s/\bRFC\s*([1-9]\d*)/<a href="http:\/\/tools.ietf.org\/html\/rfc$1">$&<\/a>/g;
# Split README/RFC/parameter/restriction hyperlinks that span line breaks
../html/SCHEDULER_README.html ../html/SMTPD_ACCESS_README.html \
../html/SMTPD_POLICY_README.html \
../html/SMTPD_PROXY_README.html \
+ ../html/SMTPUTF8_README.html \
../html/SOHO_README.html \
../html/SQLITE_README.html \
../html/STANDARD_CONFIGURATION_README.html \
../README_FILES/SASL_README ../README_FILES/SCHEDULER_README \
../README_FILES/SMTPD_ACCESS_README \
../README_FILES/SMTPD_POLICY_README ../README_FILES/SMTPD_PROXY_README \
+ ../README_FILES/SMTPUTF8_README \
../README_FILES/SOHO_README \
../README_FILES/SQLITE_README \
../README_FILES/STANDARD_CONFIGURATION_README \
../html/SMTPD_PROXY_README.html: SMTPD_PROXY_README.html
$(DETAB) $? | $(POSTLINK) >$@
+../html/SMTPUTF8_README.html: SMTPUTF8_README.html
+ $(DETAB) $? | $(POSTLINK) >$@
+
../html/SOHO_README.html: $(MAKESOHO) $(DEPSOHO)
$(MAKESOHO) | $(POSTLINK) | $(DETAB) >$@
../README_FILES/SMTPD_PROXY_README: SMTPD_PROXY_README.html
$(DETAB) $? | $(HT2READ) >$@
+../README_FILES/SMTPUTF8_README: SMTPUTF8_README.html
+ $(DETAB) $? | $(HT2READ) >$@
+
../README_FILES/SOHO_README: $(MAKESOHO) $(DEPSOHO)
$(MAKESOHO) | $(HT2READ) | $(DETAB) >$@
<p> The <strong>mmencode</strong> command is part of the metamail
software. </p>
-<li> <p> Using Perl <b>MIME::Base64</b>: </p>
+<li> <p> Using Perl <b>MIME::Base64</b> (from http://www.cpan.org/): </p>
<blockquote>
<pre>
</pre>
</blockquote>
-<p> MIME::Base64 is available from http://www.cpan.org/. </p>
+<p> If the username or password contain "@", you must specify "\@". </p>
<li> <p> Using the <b>gen-auth</b> script: </p>
<p> The content filter itself is not described here. You can use
any filter that is SMTP enabled. For non-SMTP capable content
filtering software, Bennett Todd's SMTP proxy implements a nice
-PERL/SMTP content filtering framework. See:
-http://bent.latency.net/smtpprox/. </p>
+Perl-based framework. See: http://bent.latency.net/smtpprox/ or
+https://github.com/jnorell/smtpprox.</p>
<blockquote>
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix SMTPUTF8 support</title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">
+Postfix SMTPUTF8 support
+</h1>
+
+<hr>
+
+<h2> Overview </h2>
+
+<p> This document describes Postfix support for Email Address
+Internationalization (EAI) as defined in RFC 6531 (SMTPUTF8 extension),
+RFC 6532 (Internationalized email headers) and RFC 6533 (Internationalized
+delivery status notifications). Introduced with Postfix version
+2.12, this fully supports UTF-8 email addresses and UTF-8 message
+header values. </p>
+
+<p> Topics covered in this document: </p>
+
+<ul>
+
+<li><a href="#enabling">Enabling Postfix SMTPUTF8 support</a>
+
+<li><a href="#using">Using Postfix SMTPUTF8 support</a>
+
+<li><a href="#detecting">SMTPUTF8 autodetection</a>
+
+<li><a href="#limitations">Limitations of the current implementation</a>
+
+<li><a href="#compatibility">Compatibility with pre-SMTPUTF8 environments</a>
+
+<li><a href="#building">Building with/without SMTPUTF8 support</a>
+
+<li><a href="#credits">Credits</a>
+
+</ul>
+
+<h2> <a name="enabling">Enabling Postfix SMTPUTF8 support</a> </h2>
+
+<p> By default, Postfix SMTPUTF8 support is disabled. Thus, Postfix
+should work exactly as it has worked before SMTPUTF8 support was
+implemented. </p>
+
+<p> Before turning on SMTPUTF8 support in Postfix, you need to
+verify that the rest of your email infrastructure can handle UTF-8
+email addresses and message header values, including SMTPUTF8
+protocol support in SMTP-based content filters (Amavisd), LMTP
+servers (Dovecot), and down-stream SMTP servers. </p>
+
+<p> SMTPUTF8 support is enabled by setting the smtputf8_enable
+parameter in main.cf:</p>
+
+<blockquote>
+<pre>
+# postconf "smtputf8_enable = yes"
+# postfix reload
+</pre>
+</blockquote>
+
+<p> With SMTPUTF8 support enabled, Postfix changes behavior as follows: </p>
+
+<ul>
+
+<li> <p> UTF-8 is permitted in the myorigin parameter value. However,
+the myhostname and mydomain parameters must specify ASCII-only
+domain names. This limitation may be removed later. </p>
+
+<li> <p> The Postfix SMTP server announces SMTPUTF8 support in the
+EHLO response. </p>
+
+<pre>
+220 server.example.com ESMTP Postfix
+EHLO client.example.com
+250-server.example.com
+250-PIPELINING
+250-SIZE 10240000
+250-VRFY
+250-ETRN
+250-STARTTLS
+250-AUTH PLAIN LOGIN
+250-ENHANCEDSTATUSCODES
+250-8BITMIME
+250-DSN
+250 SMTPUTF8
+</pre>
+
+<li> <p> The Postfix SMTP server accepts the SMTPUTF8 request in
+MAIL FROM and VRFY commands. </p>
+
+<pre>
+MAIL FROM:<address> SMTPUTF8 ...
+
+VRFY address SMTPUTF8
+</pre>
+
+<li> <p> The Postfix SMTP client may issue the SMTPUTF8 request in
+MAIL FROM commands. </p>
+
+<li> <p> Postfix already permitted UTF-8 in message header values
+and in address localparts. This does not change. </p>
+
+<li> <p> The Postfix SMTP server accepts UTF-8 in email address
+domains, but only after the remote SMTP client client issues the
+SMTPUTF8 request in MAIL FROM or VRFY commands. </p>
+
+</ul>
+
+<h2> <a name="using">Using Postfix SMTPUTF8 support</a> </h2>
+
+<p> After Postfix SMTPUTF8 support is turned on, Postfix behavior
+will depend on 1) whether a remote SMTP client requests SMTPUTF8
+support, 2) the presence of UTF-8 content in the message envelope
+and headers, and 3) whether a down-stream SMTP (or LMTP) server
+announces SMTPUTF8 support. </p>
+
+<ul>
+
+<li> <p> When the Postfix SMTP server receives a message WITHOUT
+the SMTPUTF8 request, Postfix handles the message as it has always
+done (at least that is the default, see autodetection below).
+Specifically, the Postfix SMTP server does not accept UTF-8 in the
+envelope sender domain name or envelope recipient domain name, and
+the Postfix SMTP client does not issue the SMTPUTF8 request when
+delivering that message an SMTP or LMTP server that announces
+SMTPUTF8 support (again, that is the default). Postfix will accept
+UTF-8 in message header values and in the localpart of envelope
+sender and recipient addresses, because it has always done that.
+</p>
+
+<li> <p> When the Postfix SMTP server receives a message WITH the
+SMTPUTF8 request, Postfix will issue the SMTPUTF8 request when
+delivering that message to an SMTP or LMTP server that announces
+SMTPUTF8 support. This is not configurable. </p>
+
+<li> <p> When a message is received with the SMTPUTF8 request,
+Postfix will deliver the message to a non-SMTPUTF8 SMTP or LMTP
+server ONLY if: </p>
+
+ <ul>
+
+ <li> <p> No message header value contains UTF-8. </p>
+
+ <li> <p> The envelope sender address contains no UTF-8, </p>
+
+ <li> <p> No envelope recipient address for that specific
+ SMTP/LMTP delivery transaction contains UTF-8. </p>
+
+ <blockquote> <p> NOTE: Recipients in other email delivery
+ transactions for that same message may still contain UTF-8.
+ </p> </blockquote>
+
+ </ul>
+
+ <p> Otherwise, Postfix will return the recipient(s) for that
+ email delivery transaction as undeliverable. The delivery status
+ notification message will be an SMTPUTF8 message. It will therefore
+ be subject to the same restrictions as email that is received
+ with the SMTPUTF8 request. </p>
+
+<li> <p> When the Postfix SMTP server receives a message with the
+SMTPUTF8 request, that request also applies after the message is
+forwarded via a virtual or local alias, or $HOME/.forward file.
+</p>
+
+</ul>
+
+<h2> <a name="detecting">SMTPUTF8 autodetection</a> </h2>
+
+<p> This section applies only to systems that have SMTPUTF8 support
+turned on (smtputf8_enable = yes). </p>
+
+<p> For compatibility with pre-SMTPUTF8 environments, Postfix does
+not automatically set the "SMTPUTF8 requested" flag on messages
+from non-SMTPUTF8 clients that contain an UTF-8 header value or
+UTF-8 address localpart. This would make such messages undeliverable
+to non-SMTPUTF8 servers, and could be a barrier to SMTPUTF8 adoption.
+</p>
+
+<p> By default, Postfix sets the "SMTPUTF8 requested" flag only on
+address verification probes and on Postfix sendmail submissions
+that contain UTF-8 in the sender address, UTF-8 in a recipient
+address, or UTF-8 in a message header value. </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+ smtputf8_autodetect_classes = sendmail, verify
+</pre>
+</blockquote>
+
+<p> However, if you have a non-ASCII myorigin or mydomain setting,
+or if you have a configuration that introduces UTF-8 addresses with
+virtual aliases, canonical mappings, or BCC mappings, then you may
+have to apply SMTPUTF8 autodetection to all email: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+ smtputf8_autodetect_classes = all
+</pre>
+</blockquote>
+
+<p> This will, of course, also flag email that was received without
+SMTPUTF8 request, but that contains UTF-8 in a sender address
+localpart, receiver address localpart, or message header value.
+Such email was not standards-compliant, but Postfix would have
+delivered it if SMTPUTF8 support was disabled. </p>
+
+<h2> <a name="limitations">Limitations of the current implementation</a>
+</h2>
+
+<p> "Internationalized" domain names can appear in two forms: the
+UTF-8 form, and the ASCII (xn--mumble) form. </p>
+
+<h3> No characterset canonicalization for non-ASCII domain names.
+</h3>
+
+<p> Postfix currently does not translate domain names from UTF-8
+into ASCII (or ASCII into UTF-8) before looking up the domain name
+in mydestination, relay_domains, access tables, etc., before logging
+the domain name, or before using the domain name in a policy daemon
+or Milter request. You will have to configure both UTF-8 and ASCII
+forms in Postfix configuration files; and both forms will have to
+be handled by logfile tools, policy daemons and Milters. </p>
+
+<h3> No case canonicalization for non-ASCII characters. </h3>
+
+<p> Postfix currently does not case-fold non-ASCII characters when
+looking up an "Internationalized" domain name in mydestination,
+relay_domains, access maps, etc. Some non-ASCII scripts do not
+distinguish between upper and lower case, some have different numbers
+of upper and lower case characters. </p>
+
+<h2> <a name="compatibility">Compatibility with pre-SMTPUTF8
+environments</a> </h2>
+
+<h3> Mailing lists with UTF-8 and non-UTF-8 subscribers </h3>
+
+<p> With Postfix, there is no need to split mailing lists into UTF-8 and
+non-UTF-8 members. Postfix will try to deliver the non-UTF8 subscribers
+over "traditional" non-SMTPUTF8 sessions, as long as the message
+has an ASCII envelope sender address and all-ASCII header values.
+The mailing list manager will have to apply RFC 2047 encoding to
+satisfy that last condition. </p>
+
+<h3> Pre-existing non-ASCII email flows </h3>
+
+<p> In pre-SMTPUTF8 environments, email with UTF-8 in address
+localparts (and in headers) works just fine because the vast majority
+of email software including Postfix is perfectly capable of handling
+such email, even if pre-SMTPUTF8 standards do not support this. </p>
+
+<p> Therefore, when Postfix SMTPUTF8 support is turned on, Postfix
+must not suddenly start to break pre-existing email flows with UTF-8
+in addres localparts (and in headers). </p>
+
+<p> Thus, Postfix continues to permit UTF-8 in address localparts
+(and in headers) in email from and to pre-SMTPUTF8 systems. At
+least, that is the default (see autodetection above). </p>
+
+<h2> <a name="building">Building with/without SMTPUTF8 support</a>
+</h2>
+
+<p> Postfix SMTPUTF8 support requires the ICU library. Postfix
+automatically builds with SMTPUTF8 support when the library and
+its header files are installed. To force Postfix to build without
+SMTPUTF8, specify: </p>
+
+<blockquote>
+<pre>
+$ make makefiles -DNO_EAI ...
+</pre>
+</blockquote>
+
+<h2> <a name="credits">Credits</a> </h2>
+
+<ul>
+
+<li> <p> Arnt Gulbrandsen posted his patch for Unicode email support
+on May 15, 2014. This work was sponsored by CNNIC. </p>
+
+<li> <p> Wietse integrated Arnt Gulbrandsen's code and released
+Postfix with SMTPUTF8 support on July 15, 2014. </p>
+
+</ul>
+
+</body>
+
+</html>
+
-x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
postconf -e \
"smtpd_tls_cert_file = ${cert}" \
- "smtpd_tls_key_file = ${key}"
+ "smtpd_tls_key_file = ${key}" \
+ 'smtpd_tls_security_level = may' \
+ 'smtpd_tls_received_header = yes' \
+ 'smtpd_tls_loglevel = 1' \
+ 'smtp_tls_security_level = may' \
+ 'smtp_tls_loglevel = 1' \
+ 'smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache' \
+ 'tls_random_source = dev:/dev/urandom'
</pre>
</blockquote>
+<p> Note: the last command requires both single (') and double (")
+quotes. </p>
+
+<p> The postconf(1) command above enables opportunistic TLS for
+receiving and sending mail. It also enables logging of TLS connections
+and recording of TLS use in the "Received" header. TLS session
+caching is also enabled in the Postfix SMTP client. With Postfix
+≥ 2.10, the SMTP server does not need an explicit session cache
+since session reuse is better handled via RFC 5077 TLS session
+tickets. </p>
+
<h3><a name="private-ca">Private Certificate Authority</a></h3>
<ul>
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_security_level = may
+ smtp_tls_loglevel = 1
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/foo-cert.pem
smtpd_tls_key_file = /etc/postfix/foo-key.pem
btree:/var/lib/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_security_level = may
+ smtpd_tls_loglevel = 1
</pre>
</blockquote>
patterns or "type:table" lookup tables. The right-hand side result
from "type:table" lookups is ignored. </p>
-<p> Pattern matching of domain names is controlled by the
-parent_domain_matches_subdomains parameter. </p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "debug_peer_list" in the parent_domain_matches_subdomains
+parameter value. </p>
<p>
Examples:
lookup table is matched when the domain or its parent domain appears
as lookup key. </p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "fast_flush_domains" in the parent_domain_matches_subdomains
+parameter value. </p>
+
<p>
Specify "fast_flush_domains =" (i.e., empty) to disable the feature
altogether.
block from the list. The form "!/file/name" is supported only
in Postfix version 2.4 and later. </p>
-<p> Note: IP version 6 address information must be specified inside
+<p> Note 1: Pattern matching of domain names is controlled by the
+or absence of "mynetworks" in the parent_domain_matches_subdomains
+parameter value. </p>
+
+<p> Note 2: IP version 6 address information must be specified inside
<tt>[]</tt> in the mynetworks value, and in files specified with
"/file/name". IP version 6 addresses contain the ":" character,
and would otherwise be confused with a "type:table" pattern. </p>
%PARAM parent_domain_matches_subdomains see "postconf -d" output
<p>
-What Postfix features match subdomains of "domain.tld" automatically,
-instead of requiring an explicit ".domain.tld" pattern. This is
+A list of Postfix features where the pattern "example.com" also
+matches subdomains of example.com,
+instead of requiring an explicit ".example.com" pattern. This is
planned backwards compatibility: eventually, all Postfix features
-are expected to require explicit ".domain.tld" style patterns when
+are expected to require explicit ".example.com" style patterns when
you really want to match subdomains.
</p>
+<p> The following Postfix feature names are supported. </p>
+
+<dl>
+
+<dt> Postfix version 1.0 and later</dt>
+
+<dd>
+debug_peer_list,
+fast_flush_domains,
+mynetworks,
+permit_mx_backup_networks,
+relay_domains,
+transport_maps
+</dd>
+
+<dt> Postfix version 1.1 and later</dt>
+
+<dd>
+qmqpd_authorized_clients,
+smtpd_access_maps,
+</dd>
+
+<dt> Postfix version 2.8 and later </dt>
+
+<dd>
+postscreen_access_list
+</dd>
+
+<dt> Postfix version 2.12 and later </dt>
+
+<dd>
+smtpd_client_event_limit_exceptions
+</dd>
+
+</dl>
+
%PARAM propagate_unmatched_extensions canonical, virtual
<p>
in Postfix version 2.4 and later.
</p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "qmqpd_authorized_clients" in the
+parent_domain_matches_subdomains parameter value. </p>
+
<p>
Example:
</p>
%PARAM relay_domains $mydestination
<p> What destination domains (and subdomains thereof) this system
-will relay mail to. Subdomain matching is controlled with the
-parent_domain_matches_subdomains parameter. For details about how
+will relay mail to. For details about how
the relay_domains value is used, see the description of the
permit_auth_destination and reject_unauth_destination SMTP recipient
restrictions. </p>
"!/file/name" is supported only in Postfix version 2.4 and later.
</p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "relay_domains" in the parent_domain_matches_subdomains
+parameter value. </p>
+
%PARAM relay_domains_reject_code 554
<p>
contain the ":" character, and would otherwise be confused with a
"type:table" pattern. </p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "smtpd_client_event_limit_exceptions" in the
+parent_domain_matches_subdomains parameter value (postfix 2.12 and
+later). </p>
+
<p>
This feature is available in Postfix 2.2 and later.
</p>
feature with local files, run "<b>postmap /etc/postfix/transport</b>"
after making a change. </p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "transport_maps" in the parent_domain_matches_subdomains
+parameter value. </p>
+
<p> For safety reasons, as of Postfix 2.3 this feature does not
allow $number substitutions in regular expression maps. </p>
The parameter value syntax is the same as with the mynetworks
parameter; note, however, that the default value is empty. </p>
+<p> Pattern matching of domain names is controlled by the presence
+or absence of "permit_mx_backup_networks" in the
+parent_domain_matches_subdomains parameter value. </p>
+
%PARAM pickup_service_name pickup
<p>
terminate the search if the client IP address matches $mynetworks.
Do not subject the client to any before/after 220 greeting tests.
Pass the connection immediately to a Postfix SMTP server process.
-</dd>
+<br> Pattern matching of domain names is controlled by the presence
+or absence of "postscreen_access_list" in the
+parent_domain_matches_subdomains parameter value. </dd>
<dt> <b> type:table </b> </dt> <dd> Query the specified lookup
table. Each table lookup result is an access list, except that
/* The maximal number of incoming connections that a Postfix daemon
/* process will service before terminating voluntarily.
/* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
-/* What Postfix features match subdomains of "domain.tld" automatically,
-/* instead of requiring an explicit ".domain.tld" pattern.
+/* A list of Postfix features where the pattern "example.com" also
+/* matches subdomains of example.com,
+/* instead of requiring an explicit ".example.com" pattern.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20140720"
+#define MAIL_RELEASE_DATE "20140731"
#define MAIL_VERSION_NUMBER "2.12"
#ifdef SNAPSHOT
smtpd.o: ../../include/mail_version.h
smtpd.o: ../../include/maps.h
smtpd.o: ../../include/match_list.h
+smtpd.o: ../../include/match_parent_style.h
smtpd.o: ../../include/milter.h
smtpd.o: ../../include/msg.h
smtpd.o: ../../include/myaddrinfo.h
/* $smtpd_sender_restrictions, or wait until the ETRN command before
/* evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions.
/* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
-/* What Postfix features match subdomains of "domain.tld" automatically,
-/* instead of requiring an explicit ".domain.tld" pattern.
+/* A list of Postfix features where the pattern "example.com" also
+/* matches subdomains of example.com,
+/* instead of requiring an explicit ".example.com" pattern.
/* .IP "\fBsmtpd_client_restrictions (empty)\fR"
/* Optional restrictions that the Postfix SMTP server applies in the
/* context of a client connection request.
#include <tls_proxy.h>
#include <verify_sender_addr.h>
#include <smtputf8.h>
+#include <match_parent_style.h>
/* Single-threaded server skeleton. */
verp_clients = namadr_list_init(MATCH_FLAG_RETURN, var_verp_clients);
xclient_hosts = namadr_list_init(MATCH_FLAG_RETURN, var_xclient_hosts);
xforward_hosts = namadr_list_init(MATCH_FLAG_RETURN, var_xforward_hosts);
- hogger_list = namadr_list_init(MATCH_FLAG_RETURN, var_smtpd_hoggers);
+ hogger_list = namadr_list_init(MATCH_FLAG_RETURN
+ | match_parent_style(VAR_SMTPD_HOGGERS),
+ var_smtpd_hoggers);
/*
* Open maps before dropping privileges so we can read passwords etc.
/* $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains,
/* or $relay_domains.
/* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
-/* What Postfix features match subdomains of "domain.tld" automatically,
-/* instead of requiring an explicit ".domain.tld" pattern.
+/* A list of Postfix features where the pattern "example.com" also
+/* matches subdomains of example.com,
+/* instead of requiring an explicit ".example.com" pattern.
/* .IP "\fBrelayhost (empty)\fR"
/* The next-hop destination of non-local mail; overrides non-local
/* domains in recipient addresses.
projects / thirdparty / postfix.git / commitdiff
