requests for 60s. Files: global/dict_pgsql.c, global/dict_mysql.c,
proto/pgsql_table, proto/mysql_table.
- Postfix 3.10 code freeze.
+20250210
+
+ Bugfix (defect introduced: Postfix 3.6): Reverted the default
+ smtp_tls_dane_insecure_mx_policy setting to "dane" as of Postfix
+ 3.6.17, 3.7.13, 3.8.8, 3.9.2, and 3.10.0. By mistake the default
+ was dependent on the smtp_tls_security_level setting. Files:
+ global/mail_params.h, proto/postconf.proto, smtp/smtp.c.
+
+20250210
+
+ Documentation: prefer 'submissions' over 'smtps'. Files:
+ proto/postconf.proto, proto/TLS_README.html.
+
+20250212
+
+ Support for OpenSSL 3.5 post-quantum cryptography. To manage
+ algorithm selection, OpenSSL introduces new TLS group syntax
+ that Postfix will not attempt to imitate. Instead, Postfix
+ now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
+ parameter values to have an empty value. When both are set
+ empty, the algorithm selection can be managed through OpenSSL
+ configuration. Viktor Dukhovni. Files: tls/tls_dh.c,
+ tls/tls_misc.c.
+
+ Bugfix (defect introduced: Postfix 3.4, date 20181113): a
+ server with multiple TLS certificates could report for a
+ resumed TLS session, in logging and Received: message
+ headers, the wrong server-signature and server-digest names.
+ Viktor Dukhovni. File: tls/tls_misc.c.
+
+20250213
+
+ Documentation: updated postconf(5) that the parameters
+ smtpd_tls_eecdh_grade, tls_eecdh_strong_curve,
+ tls_eecdh_ultra_curve, and tlsproxy_tls_eecdh_grade, are
+ not used since Postfix 3.6; updated the tls_eecdh_auto_curves
+ and tls_ffdhe_auto_groups description with post-quantum
+ configuration; added a post-quantum example to the
+ tls_config_file description. File: proto/postconf.proto.
+ The unused parameters will be deleted in Postfix 3.11.
+
+ Postfix 3.10 code freeze.
* postfix-tlspol, supports domains with DANE (using Postfix built-in DANE),
and domains with MTA-STS.
- * postfix-mta-sts-resolver, supports domains with MTA-STS.
+ * postfix-mta-sts-resolver, supports domains with MTA-STS as of release 1.5.0
+ (February 2025).
Both plugins can generate the additional name=value attributes that Postfix
needs for TLSRPT support (as of February 2025). This is enabled by setting a
It is strictly discouraged to use this mode from main.cf. If you want to
support this service, enable a special port in master.cf and specify "-
o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8)
-command line option. Port 465 (smtps) was once chosen for this feature.
+command line option. Port 465 (submissions, formerly called smtps) is the most
+common example.
Example:
/etc/postfix/master.cf:
- smtps inet n - n - - smtpd
+ submissions inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
C\bCl\bli\bie\ben\bnt\bt c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be v\bve\ber\bri\bif\bfi\bic\bca\bat\bti\bio\bon\bn
* Discovering servers that support TLS
* Server certificate verification depth
* Client-side cipher controls
- * Client-side SMTPS support
+ * Client-side submissions (formerly called smtps) support
* Miscellaneous client controls
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg T\bTL\bLS\bS i\bin\bn t\bth\bhe\be S\bSM\bMT\bTP\bP/\b/L\bLM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bt
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3
-C\bCl\bli\bie\ben\bnt\bt-\b-s\bsi\bid\bde\be S\bSM\bMT\bTP\bPS\bS s\bsu\bup\bpp\bpo\bor\brt\bt
+C\bCl\bli\bie\ben\bnt\bt-\b-s\bsi\bid\bde\be s\bsu\bub\bbm\bmi\bis\bss\bsi\bio\bon\bns\bs (\b(f\bfo\bor\brm\bme\ber\brl\bly\by c\bca\bal\bll\ble\bed\bd s\bsm\bmt\btp\bps\bs)\b) s\bsu\bup\bpp\bpo\bor\brt\bt
These sections show how to send mail to a server that does not support
-STARTTLS, but that provides the SMTPS service on TCP port 465. Depending on the
-Postfix version, some additional tooling may be required.
+STARTTLS, but that provides the submissions (smtps) service on TCP port 465.
+Depending on the Postfix version, some additional tooling may be required.
P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.0\b0
-The Postfix SMTP client has SMTPS support built-in as of version 3.0. Use one
-of the following examples, to send all remote mail, or to send only some remote
-mail, to an SMTPS server.
+The Postfix SMTP client has submissions service support built-in as of version
+3.0. Use one of the following examples, to send all remote mail, or to send
+only some remote mail, to a submissions (smtps) server.
-P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.0\b0:\b: S\bSe\ben\bnd\bdi\bin\bng\bg a\bal\bll\bl r\bre\bem\bmo\bot\bte\be m\bma\bai\bil\bl t\bto\bo a\ban\bn S\bSM\bMT\bTP\bPS\bS s\bse\ber\brv\bve\ber\br
+P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.0\b0:\b: S\bSe\ben\bnd\bdi\bin\bng\bg a\bal\bll\bl r\bre\bem\bmo\bot\bte\be m\bma\bai\bil\bl t\bto\bo a\ba s\bsu\bub\bbm\bmi\bis\bss\bsi\bio\bon\bns\bs (\b(f\bfo\bor\brm\bme\ber\brl\bly\by c\bca\bal\bll\ble\bed\bd
+s\bsm\bmt\btp\bps\bs)\b) s\bse\ber\brv\bve\ber\br
-The first example will send all remote mail over SMTPS through a provider's
+The first example will send all remote mail to through a provider's submissions
server called "mail.example.com":
/etc/postfix/main.cf:
- # Client-side SMTPS requires "encrypt" or stronger.
+ # Client-side submissions requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
- relayhost = [mail.example.com]:465
+ relayhost = [mail.example.com]:submissions
Use "postfix reload" to make the change effective.
See SOHO_README for additional information about SASL authentication.
-P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.0\b0:\b: S\bSe\ben\bnd\bdi\bin\bng\bg o\bon\bnl\bly\by m\bma\bai\bil\bl f\bfo\bor\br a\ba s\bsp\bpe\bec\bci\bif\bfi\bic\bc d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn v\bvi\bia\ba S\bSM\bMT\bTP\bPS\bS
+P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.0\b0:\b: S\bSe\ben\bnd\bdi\bin\bng\bg o\bon\bnl\bly\by m\bma\bai\bil\bl f\bfo\bor\br a\ba s\bsp\bpe\bec\bci\bif\bfi\bic\bc d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn t\bto\bo a\ba s\bsu\bub\bbm\bmi\bis\bss\bsi\bio\bon\bns\bs
+(\b(f\bfo\bor\brm\bme\ber\brl\bly\by c\bca\bal\bll\ble\bed\bd s\bsm\bmt\btp\bps\bs)\b) s\bse\ber\brv\bvi\bic\bce\be
-The second example will send only mail for "example.com" via SMTPS. This time,
-Postfix uses a transport map to deliver only mail for "example.com" via SMTPS:
+The second example will send only mail for "example.com" using the submissions
+(smtps) service. This time, Postfix uses a transport map to deliver only mail
+for "example.com" using the submissions (smtps) service:
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
- example.com relay-smtps:example.com:465
+ example.com relay-submissions:example.com:submissions
/etc/postfix/master.cf:
- relay-smtps unix - - n - - smtp
- # Client-side SMTPS requires "encrypt" or stronger.
+ relay-submissions unix - - n - - smtp
+ # Client-side submissions service requires "encrypt" or stronger.
-o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes
P\bPo\bos\bst\btf\bfi\bix\bx <\b< 3\b3.\b.0\b0
-Although older Postfix SMTP client versions do not support TLS wrapper mode, it
-is relatively easy to forward a connection through the stunnel program if
-Postfix needs to deliver mail to some legacy system that doesn't support
-STARTTLS.
-
-P\bPo\bos\bst\btf\bfi\bix\bx <\b< 3\b3.\b.0\b0:\b: S\bSe\ben\bnd\bdi\bin\bng\bg a\bal\bll\bl r\bre\bem\bmo\bot\bte\be m\bma\bai\bil\bl t\bto\bo a\ban\bn S\bSM\bMT\bTP\bPS\bS s\bse\ber\brv\bve\ber\br
-
-The first example uses SMTPS to send all remote mail to a provider's mail
-server called "mail.example.com".
-
-A minimal stunnel.conf file is sufficient to set up a tunnel from local port
-11125 to the remote destination "mail.example.com" and port "smtps". Postfix
-will later use this tunnel to connect to the remote server.
-
- /path/to/stunnel.conf:
- [smtp-tls-wrapper]
- accept = 11125
- client = yes
- connect = mail.example.com:smtps
-
-To test this tunnel, use:
-
- $ telnet localhost 11125
-
-This should produce the greeting from the remote SMTP server at
-mail.example.com.
-
-On the Postfix side, the relayhost feature sends all remote mail through the
-local stunnel listener on port 11125:
-
- /etc/postfix/main.cf:
- relayhost = [127.0.0.1]:11125
-
-Use "postfix reload" to make the change effective.
-
-See SOHO_README for additional information about SASL authentication.
-
-P\bPo\bos\bst\btf\bfi\bix\bx <\b< 3\b3.\b.0\b0:\b: S\bSe\ben\bnd\bdi\bin\bng\bg o\bon\bnl\bly\by m\bma\bai\bil\bl f\bfo\bor\br a\ba s\bsp\bpe\bec\bci\bif\bfi\bic\bc d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn v\bvi\bia\ba S\bSM\bMT\bTP\bPS\bS
-
-The second example will use SMTPS to send only mail for "example.com" via
-SMTPS. It uses the same stunnel configuration file as the first example, so it
-won't be repeated here.
-
-This time, the Postfix side uses a transport map to direct only mail for
-"example.com" through the tunnel:
-
- /etc/postfix/main.cf:
- transport_maps = hash:/etc/postfix/transport
-
- /etc/postfix/transport:
- example.com relay:[127.0.0.1]:11125
-
-Use "postmap hash:/etc/postfix/transport" and "postfix reload" to make the
-change effective.
-
-See SOHO_README for additional information about SASL authentication.
+Please see TLS_LEGACY_README.
M\bMi\bis\bsc\bce\bel\bll\bla\ban\bne\beo\bou\bus\bs c\bcl\bli\bie\ben\bnt\bt c\bco\bon\bnt\btr\bro\bol\bls\bs
built-in DANE), and domains with MTA-STS. </p>
<li> <p> <a href="https://github.com/Snawoot/postfix-mta-sts-resolver">
-postfix-mta-sts-resolver</a>, supports domains with MTA-STS. </p>
+postfix-mta-sts-resolver</a>, supports domains with MTA-STS as of
+release 1.5.0 (February 2025). </p>
</ul>
<p> It is strictly discouraged to use this mode from <a href="postconf.5.html">main.cf</a>. If
you want to support this service, enable a special port in <a href="master.5.html">master.cf</a>
and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" (note: no space around
-the "=") as an <a href="smtpd.8.html">smtpd(8)</a> command line option. Port 465 (smtps) was
-once chosen for this feature.
+the "=") as an <a href="smtpd.8.html">smtpd(8)</a> command line option. Port 465 (submissions,
+formerly called smtps) is the most common example.
</p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
- smtps inet n - n - - smtpd
+ submissions inet n - n - - smtpd
-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes -o <a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a>=yes
</pre>
</blockquote>
<li> <a href="#client_cipher">Client-side cipher controls </a>
-<li> <a href="#client_smtps">Client-side SMTPS support </a>
+<li> <a href="#client_smtps">Client-side submissions (formerly called smtps) support </a>
<li> <a href="#client_misc"> Miscellaneous client controls </a>
</pre>
</blockquote>
-<h3> <a name="client_smtps">Client-side SMTPS support </a> </h3>
+<h3> <a name="client_smtps">Client-side submissions (formerly called smtps) support </a> </h3>
<p> These sections show how to send mail to a server that does not
-support STARTTLS, but that provides the SMTPS service
+support STARTTLS, but that provides the submissions (smtps) service
on TCP port 465. Depending on the Postfix version, some additional
tooling may be required. </p>
<h4> Postfix ≥ 3.0 </h4>
-<p> The Postfix SMTP client has SMTPS support built-in as of version
+<p> The Postfix SMTP client has submissions service support built-in
+as of version
3.0. Use one of the following examples, to send all remote mail,
-or to send only some remote mail, to an SMTPS server. </p>
+or to send only some remote mail, to a submissions (smtps) server. </p>
-<h5> Postfix ≥ 3.0: Sending all remote mail to an SMTPS server </h5>
+<h5> Postfix ≥ 3.0: Sending all remote mail to a submissions (formerly called smtps) server </h5>
-<p> The first example will send all remote mail over SMTPS through
-a provider's server called "mail.example.com": </p>
+<p> The first example will send all remote mail to through a
+provider's submissions server called "mail.example.com": </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- # Client-side SMTPS requires "encrypt" or stronger.
+ # Client-side submissions requires "encrypt" or stronger.
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes
# The [] suppress MX lookups.
- <a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:465
+ <a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:submissions
</pre>
</blockquote>
</p>
<h5> Postfix ≥ 3.0: Sending only mail for a specific destination
-via SMTPS </h5>
+to a submissions (formerly called smtps) service </h5>
-<p> The second example will send only mail for "example.com" via
-SMTPS. This time, Postfix uses a transport map to deliver only
-mail for "example.com" via SMTPS: </p>
+<p> The second example will send only mail for "example.com" using
+the submissions (smtps) service.
+This time, Postfix uses a transport map to deliver only
+mail for "example.com" using the submissions (smtps) service: </p>
<blockquote>
<pre>
<a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport
/etc/postfix/transport:
- example.com relay-smtps:example.com:465
+ example.com relay-submissions:example.com:submissions
/etc/postfix/<a href="master.5.html">master.cf</a>:
- relay-smtps unix - - n - - smtp
- # Client-side SMTPS requires "encrypt" or stronger.
+ relay-submissions unix - - n - - smtp
+ # Client-side submissions service requires "encrypt" or stronger.
-o <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>=encrypt
-o <a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a>=yes
</pre>
<h4> Postfix < 3.0 </h4>
-<p> Although older Postfix SMTP client versions do not support TLS
-wrapper mode, it is relatively easy to forward a connection through
-the stunnel program if Postfix needs to deliver mail to some legacy
-system that doesn't support STARTTLS. </p>
-
-<h5> Postfix < 3.0: Sending all remote mail to an SMTPS server </h5>
-
-<p> The first example uses SMTPS to send all remote mail to a
-provider's mail server called "mail.example.com". </p>
-
-<p> A minimal stunnel.conf file is sufficient to set up a tunnel
-from local port 11125 to the remote destination "mail.example.com"
-and port "smtps". Postfix will later use this tunnel to connect to
-the remote server. </p>
-
-<blockquote>
-<pre>
-/path/to/stunnel.conf:
- [smtp-tls-wrapper]
- accept = 11125
- client = yes
- connect = mail.example.com:smtps
-</pre>
-</blockquote>
-
-<p> To test this tunnel, use: </p>
-
-<blockquote>
-<pre>
-$ telnet localhost 11125
-</pre>
-</blockquote>
-
-<p> This should produce the greeting from the remote SMTP server
-at mail.example.com. </p>
-
-<p> On the Postfix side, the <a href="postconf.5.html#relayhost">relayhost</a> feature sends all remote
-mail through the local stunnel listener on port 11125: </p>
-
-<blockquote>
-<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#relayhost">relayhost</a> = [127.0.0.1]:11125
-</pre>
-</blockquote>
-
-<p> Use "postfix reload" to make the change effective. </p>
-
-<p> See <a href="SOHO_README.html">SOHO_README</a> for additional information about SASL
-authentication. </p>
-
-<h4> Postfix < 3.0: Sending only mail for a specific destination via SMTPS </h4>
-
-<p> The second example will use SMTPS to send only mail for
-"example.com" via SMTPS. It uses the same stunnel configuration
-file as the first example, so it won't be repeated here. </p>
-
-<p> This time, the Postfix side uses a transport map to direct only
-mail for "example.com" through the tunnel: </p>
-
-<blockquote>
-<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport
-
-/etc/postfix/transport:
- example.com relay:[127.0.0.1]:11125
-</pre>
-</blockquote>
-
-<p> Use "postmap <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport" and "postfix reload"
-to make the change effective. </p>
-
-<p> See <a href="SOHO_README.html">SOHO_README</a> for additional information about SASL authentication.
-</p>
+<p> Please see <a href="TLS_LEGACY_README.html">TLS_LEGACY_README</a>. </p>
<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
defers delivery if no alternative server is available. </p>
<p> Example: </p>
-
+
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
an OpenSSL library that could be vulnerable. </p>
<p> Example: </p>
-
+
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
Request that the Postfix SMTP client connects using the SUBMIS-
- SIONS/SMTPS protocol instead of using the STARTTLS command.
+ SIONS (formerly called SMTPS) protocol instead of using the
+ STARTTLS command.
Available in Postfix version 3.1 and later:
- <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b>
- The TLS policy for MX hosts with "secure" TLSA records when the
- nexthop destination security level is <b>dane</b>, but the MX record
+ <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
+ The TLS policy for MX hosts with "secure" TLSA records when the
+ nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
- The prioritized list of elliptic curves, that should be enabled
+ The prioritized list of elliptic curves, that should be enabled
in the Postfix SMTP client and server.
Available in Postfix version 3.4 and later:
Try to make multiple deliveries per TLS-encrypted connection.
<b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b>
- List of one or more PEM files, each holding one or more private
+ List of one or more PEM files, each holding one or more private
keys directly followed by a corresponding certificate chain.
<b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b>
- Optional name to send to the remote SMTP server in the TLS
+ Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension.
Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
<b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
- A workaround for implementations that hang Postfix while shut-
+ A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
Available in Postfix version 3.8 and later:
<b><a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> (see 'postconf -d' output)</b>
- The prioritized list of finite-field Diffie-Hellman ephemeral
+ The prioritized list of finite-field Diffie-Hellman ephemeral
(FFDHE) key exchange groups supported by the Postfix SMTP client
and server.
Optional configuration file with baseline OpenSSL settings.
<b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
- The application name passed by Postfix to OpenSSL library ini-
+ The application name passed by Postfix to OpenSSL library ini-
tialization functions.
Available in Postfix version 3.9 and later:
<b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> (no)</b>
- Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
+ Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate.
Available in Postfix version 3.10 and later:
<b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
Do not report the TLSRPT status for TLS protocol handshakes that
- reuse a previously-negotiated TLS session (there is no new
+ reuse a previously-negotiated TLS session (there is no new
information to report).
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
- The following configuration parameters exist for compatibility with
- Postfix versions before 2.3. Support for these will be removed in a
+ The following configuration parameters exist for compatibility with
+ Postfix versions before 2.3. Support for these will be removed in a
future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
- Opportunistic mode: use TLS when a remote SMTP server announces
+ Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
- Enforcement mode: require that remote SMTP servers use TLS
+ Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
- With mandatory TLS encryption, require that the remote SMTP
- server hostname matches the information in the remote SMTP
+ With mandatory TLS encryption, require that the remote SMTP
+ server hostname matches the information in the remote SMTP
server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
- Optional lookup tables with the Postfix SMTP client TLS usage
- policy by next-hop destination and by remote SMTP server host-
+ Optional lookup tables with the Postfix SMTP client TLS usage
+ policy by next-hop destination and by remote SMTP server host-
name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
- Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+ Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
cipher list.
<b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
- The Postfix SMTP client time limit for completing a TCP connec-
+ The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the HELO or EHLO
- command, and for receiving the initial remote SMTP server
+ The Postfix SMTP client time limit for sending the HELO or EHLO
+ command, and for receiving the initial remote SMTP server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the MAIL FROM
+ The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the SMTP RCPT TO
+ The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
- The Postfix SMTP client time limit for sending the SMTP DATA
+ The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
- The Postfix SMTP client time limit for sending the SMTP message
+ The Postfix SMTP client time limit for sending the SMTP message
content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
- The maximal number of MX (mail exchanger) IP addresses that can
- result from Postfix SMTP client mail exchanger lookups, or zero
+ The maximal number of MX (mail exchanger) IP addresses that can
+ result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
- The maximal number of SMTP sessions per delivery request before
- the Postfix SMTP client gives up or delivers to a fall-back
+ The maximal number of SMTP sessions per delivery request before
+ the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
- Keep
Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
+ Keep
Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
- Permanently enable SMTP connection caching for the specified
+ Permanently enable SMTP connection caching for the specified
destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
- Temporarily enable SMTP connection caching while a destination
+ Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
- Time limit for connection cache connect, send or receive opera-
+ Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per read or write system call, to a time limit to
- send or receive a complete record (an SMTP command line, SMTP
- response line, SMTP message content line, or TLS protocol mes-
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per read or write system call, to a time limit to
+ send or receive a complete record (an SMTP command line, SMTP
+ response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
- When SMTP connection caching is enabled, the number of times
- that an SMTP session may be reused before it is closed, or zero
+ When SMTP connection caching is enabled, the number of times
+ that an SMTP session may be reused before it is closed, or zero
(no limit).
Available in Postfix version 3.4 and later:
Available in Postfix version 3.7 and later:
<b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per plaintext or TLS read or write call, to a com-
- bined time limit for sending a complete SMTP request and for
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per plaintext or TLS read or write call, to a com-
+ bined time limit for sending a complete SMTP request and for
receiving a complete SMTP response.
<b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
- The minimum plaintext data transfer rate in bytes/second for
+ The minimum plaintext data transfer rate in bytes/second for
DATA requests, when deadlines are enabled with
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
<b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
- A
transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+ A
transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
- <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>
parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
+ <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>
parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
- Enable preliminary SMTPUTF8 support for the protocols described
+ Enable preliminary SMTPUTF8 support for the protocols described
in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
- Detect that a message requires SMTPUTF8 support for the speci-
+ Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
- Enable 'transitional' compatibility between IDNA2003 and
- IDNA2008, when converting UTF-8 domain names to/from the ASCII
+ Enable 'transitional' compatibility between IDNA2003 and
+ IDNA2008, when converting UTF-8 domain names to/from the ASCII
form that is used for DNS lookups.
<b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
- The increment in verbose logging level when a nexthop destina-
- tion, remote client or server name or network address matches a
+ The increment in verbose logging level when a nexthop destina-
+ tion, remote client or server name or network address matches a
pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
- Optional list of nexthop destination, remote client or server
- name or network address patterns that, if matched, cause the
- verbose logging level to increase by the amount specified in
+ Optional list of nexthop destination, remote client or server
+ name or network address patterns that, if matched, cause the
+ verbose logging level to increase by the amount specified in
$<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications about mail delivery
+ The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
- What categories of Postfix-generated mail are subject to
- before-queue
content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+ What categories of Postfix-generated mail are subject to
+ before-queue
content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
<b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
- Where the Postfix SMTP client should deliver mail when it
+ Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to handle a
+ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
- The maximal number of digits after the decimal point when log-
+ The maximal number of digits after the decimal point when log-
ging delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
- The local network interface addresses that this mail system
+ The local network interface addresses that this mail system
receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
- The Internet protocols Postfix will attempt to use when making
+ The Internet protocols Postfix will attempt to use when making
or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
- The time limit for sending or receiving information over an
+ The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
- When a remote LMTP server announces no DSN support, assume that
- the server performs final delivery, and send "delivered" deliv-
+ When a remote LMTP server announces no DSN support, assume that
+ the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix daemon process
+ The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
- The remote network interface addresses that this mail system
- receives mail on by way of a proxy or network address transla-
+ The remote network interface addresses that this mail system
+ receives mail on by way of a proxy or network address transla-
tion unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
- client will try first, when a destination has IPv6 and IPv4
+ client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
- An optional numerical network address that the Postfix SMTP
+ An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
- An optional numerical network address that the Postfix SMTP
+ An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available with Postfix 2.2 and earlier:
Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
- Optional list of relay destinations that will be used when an
- SMTP destination is not found, or when delivery fails due to a
+ Optional list of relay destinations that will be used when an
+ SMTP destination is not found, or when delivery fails due to a
non-permanent error.
Available with Postfix 3.0 and later:
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
- In the context of email address verification, the SMTP protocol
+ In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable.
Available with Postfix 3.1 and later:
Available in Postfix 3.7 and later:
<b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
- Defer delivery when the Postfix SMTP client cannot apply the
+ Defer delivery when the Postfix SMTP client cannot apply the
<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
<b><a name="see_also">SEE ALSO</a></b>
<p> Example <a href="master.5.html">master.cf</a> entries: </p>
<pre>
-# Distinguish inbound MTA logging from submission and smtps logging.
+# Distinguish inbound MTA logging from submission and submissions logging.
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a>
-smtps inet n - n - - smtpd
+submissions inet n - n - - smtpd
-o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a>
</pre>
</DD>
<DT><b><a name="smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a>
-(default: see "postconf -d" output)</b></DT><DD>
+(default: dane)</b></DT><DD>
<p> The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX
"Verified", because the MX host name could have been forged. </dd>
</dl>
-<p> The default setting for Postfix ≥ 3.6 is "dane" with
-"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = dane", otherwise "may". This behavior
-was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
-With earlier Postfix versions the default setting was always "dane".
+<p> The default setting is "dane" as of Postfix versions 3.6.17,
+3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
+was mistakenly dependent on the <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> setting.
</p>
<p> Though with "insecure" MX records an active attacker can
(default: no)</b></DT><DD>
<p> Request that the Postfix SMTP client connects using the
-SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. </p>
+SUBMISSIONS (formerly called SMTPS) protocol instead of using the
+STARTTLS command. </p>
<p> This mode requires "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt" or
stronger. </p>
-<p> Example: deliver all remote mail via a provider's server
-"mail.example.com". </p>
+<p> Example: deliver all remote mail via a provider's submissions
+service at "mail.example.com". </p>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- # Client-side SMTPS requires "encrypt" or stronger.
+ # Client-side SUBMISSIONS requires "encrypt" or stronger.
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes
# The [] suppress MX lookups.
- <a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:465
+ <a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:submissions
</pre>
<p> More examples are in <a href="TLS_README.html">TLS_README</a>, including examples for older
<blockquote> <p> Note: to enforce that the From: header address
matches the envelope sender (MAIL FROM) address, use an external
-filter such as a Milter, for the submission, submissions, or smtps
+filter such as a Milter, for the submission or submissions (formerly
+called smtps )
services. For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>. </p>
</blockquote>
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
-for the submission, submissions, or smtps services. For example:
-<a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
+for the submission or submissions (formerly called smtps) services.
+
For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
<br>
This feature is available in Postfix version 2.1 and later. </dd>
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
-for the submission, submissions, or smtps services. For example:
-<a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
+for the submission or submissions (formerly called smtps) services.
+
For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
<br>
This feature is available in Postfix version 2.11 and later.</dd>
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
-for the submission, submissions, or smtps services. For example:
-<a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
+for the submission or submissions (formerly called smtps) services.
+
For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
<br>
This feature is available in Postfix version 2.1 and later.</dd>
<b>auto</b> value (described below) was chosen.
</p>
+<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
+
<p> The available choices are: </p>
<dl>
<p> If you want to support this service, enable a special port in
<a href="master.5.html">master.cf</a>, and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" on the SMTP
-server's command line. Port 465 (submissions/smtps) is reserved for
-this purpose. </p>
+server's command line. Port 465 (submissions, formerly called smtps)
+is reserved for this purpose. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
</pre>
</blockquote>
+<p> Example: Custom OpenSSL group settings. </p>
+
+<pre>
+<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#tls_config_file">tls_config_file</a> = ${<a href="postconf.5.html#config_directory">config_directory</a>}/openssl.cnf
+ <a href="postconf.5.html#tls_config_name">tls_config_name</a> = postfix
+</pre>
+
+<pre>
+openssl.cnf:
+ postfix = postfix_settings
+</pre>
+
+<pre>
+ [postfix_settings]
+ ssl_conf = postfix_ssl_settings
+</pre>
+
+<pre>
+ [postfix_ssl_settings]
+ system_default = baseline_postfix_settings
+</pre>
+
+<pre>
+ [baseline_postfix_settings]
+ # New OpenSSL 3.5 syntax, for older releases consider
+ # the Postfix default:
+ #
+ # Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
+ #
+ Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
+</pre>
+
+<p> Caution: It is typically best to just use the default group
+settings, for which no $<a href="postconf.5.html#tls_config_file">tls_config_file</a> is required (you can set
+"<a href="postconf.5.html#tls_config_file">tls_config_file</a> = none", to avoid unwanted leakage of system-wide
+settings that strive to harden HTTPS against mostly browser-specific
+security and privacy issues into Postfix use of opportunistic TLS,
+where they're they can be counterproductive, leading to downgrades
+to cleartext, rather than more "secure" TLS). </p>
+
<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
(default: see "postconf -d" output)</b></DT><DD>
<p> The prioritized list of elliptic curves, that should be enabled in the
-Postfix SMTP client and server. These are used by the Postfix SMTP server when
-"<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = auto". The selected curves should be implemented
+Postfix SMTP client and server. The selected curves should be implemented
by OpenSSL and be standardized for use in the TLS "supported groups" extension
(<a href="https://tools.ietf.org/html/rfc8422">RFC8422</a>, <a href="https://tools.ietf.org/html/rfc8446">RFC8446</a> and <a href="https://tools.ietf.org/html/rfc8447">RFC8447</a>). Be sure to include at least "x25519" and
"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256"). The default
is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.
</p>
+<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
+configuration syntax that Postfix will not attempt to imitate.
+Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
+both <a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> and if available <a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a>
+to the empty value, to enable algorithm selection through OpenSSL
+configuration. See <a href="postconf.5.html#tls_config_file">tls_config_file</a> for a configuration example.
+</p>
+
<p> This feature is available in Postfix 3.2 and later, when it is
compiled and linked with OpenSSL 1.0.2 or later on platforms where
EC algorithms have not been disabled by the vendor. </p>
is unwise to choose only "bleeding-edge" curves supported by only a
small subset of clients. </p>
+<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
+
<p> The default "strong" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to SECRET. </p>
to take place. It is unwise to choose only "bleeding-edge" curves
supported by only a small subset of clients. </p>
+<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
+
<p> This default "ultra" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to TOP SECRET. </p>
</p>
<p> Conversely, setting "<a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a>" empty disables TLS 1.3
-EC key agreement in OpenSSL 3.0 and later. Note that at least one of
-"<a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a>" and "<a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a>" must be non-empty,
-this is required by OpenSSL 3.0. If both are inadvertently set empty,
-Postfix will fall back to the compiled-in defaults. </p>
+EC key agreement in OpenSSL 3.0 and later. If both are set empty,
+Postfix will fall back to OpenSSL preferences as described next. </p>
+
+<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
+configuration syntax that Postfix will not attempt to imitate.
+Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
+both <a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> and <a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> to the empty
+value, to enable algorithm selection through OpenSSL configuration.
+See <a href="postconf.5.html#tls_config_file">tls_config_file</a> for a configuration example. </p>
<p> All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
elliptic-curve Diffie-Hellman (EECDH) key exchange. See
<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details. </p>
-<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p>
+<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> This feature is available in Postfix 2.8 and later. </p>
<p> Specify zero or more service names separated by comma and/or
whitespace. Any name in the services(5) database may be specified,
-though in practice only submission, submissions, and smtp make
-sense. </p>
+though in practice only submission or submissions (formerly called
+smtp) make sense. </p>
<p> When SRV record lookup is enabled with <a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a>, you can
enclose a domain name in "[]" to force IP address lookup instead
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
Request that the Postfix SMTP client connects using the SUBMIS-
- SIONS/SMTPS protocol instead of using the STARTTLS command.
+ SIONS (formerly called SMTPS) protocol instead of using the
+ STARTTLS command.
Available in Postfix version 3.1 and later:
- <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b>
- The TLS policy for MX hosts with "secure" TLSA records when the
- nexthop destination security level is <b>dane</b>, but the MX record
+ <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
+ The TLS policy for MX hosts with "secure" TLSA records when the
+ nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
- The prioritized list of elliptic curves, that should be enabled
+ The prioritized list of elliptic curves, that should be enabled
in the Postfix SMTP client and server.
Available in Postfix version 3.4 and later:
Try to make multiple deliveries per TLS-encrypted connection.
<b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b>
- List of one or more PEM files, each holding one or more private
+ List of one or more PEM files, each holding one or more private
keys directly followed by a corresponding certificate chain.
<b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b>
- Optional name to send to the remote SMTP server in the TLS
+ Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension.
Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
<b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
- A workaround for implementations that hang Postfix while shut-
+ A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
Available in Postfix version 3.8 and later:
<b><a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> (see 'postconf -d' output)</b>
- The prioritized list of finite-field Diffie-Hellman ephemeral
+ The prioritized list of finite-field Diffie-Hellman ephemeral
(FFDHE) key exchange groups supported by the Postfix SMTP client
and server.
Optional configuration file with baseline OpenSSL settings.
<b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
- The application name passed by Postfix to OpenSSL library ini-
+ The application name passed by Postfix to OpenSSL library ini-
tialization functions.
Available in Postfix version 3.9 and later:
<b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> (no)</b>
- Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
+ Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate.
Available in Postfix version 3.10 and later:
<b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
Do not report the TLSRPT status for TLS protocol handshakes that
- reuse a previously-negotiated TLS session (there is no new
+ reuse a previously-negotiated TLS session (there is no new
information to report).
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
- The following configuration parameters exist for compatibility with
- Postfix versions before 2.3. Support for these will be removed in a
+ The following configuration parameters exist for compatibility with
+ Postfix versions before 2.3. Support for these will be removed in a
future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
- Opportunistic mode: use TLS when a remote SMTP server announces
+ Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
- Enforcement mode: require that remote SMTP servers use TLS
+ Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
- With mandatory TLS encryption, require that the remote SMTP
- server hostname matches the information in the remote SMTP
+ With mandatory TLS encryption, require that the remote SMTP
+ server hostname matches the information in the remote SMTP
server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
- Optional lookup tables with the Postfix SMTP client TLS usage
- policy by next-hop destination and by remote SMTP server host-
+ Optional lookup tables with the Postfix SMTP client TLS usage
+ policy by next-hop destination and by remote SMTP server host-
name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
- Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+ Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
cipher list.
<b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
- The Postfix SMTP client time limit for completing a TCP connec-
+ The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the HELO or EHLO
- command, and for receiving the initial remote SMTP server
+ The Postfix SMTP client time limit for sending the HELO or EHLO
+ command, and for receiving the initial remote SMTP server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the MAIL FROM
+ The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the SMTP RCPT TO
+ The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
- The Postfix SMTP client time limit for sending the SMTP DATA
+ The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
- The Postfix SMTP client time limit for sending the SMTP message
+ The Postfix SMTP client time limit for sending the SMTP message
content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
- The maximal number of MX (mail exchanger) IP addresses that can
- result from Postfix SMTP client mail exchanger lookups, or zero
+ The maximal number of MX (mail exchanger) IP addresses that can
+ result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
- The maximal number of SMTP sessions per delivery request before
- the Postfix SMTP client gives up or delivers to a fall-back
+ The maximal number of SMTP sessions per delivery request before
+ the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
- Keep
Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
+ Keep
Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
- Permanently enable SMTP connection caching for the specified
+ Permanently enable SMTP connection caching for the specified
destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
- Temporarily enable SMTP connection caching while a destination
+ Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
- Time limit for connection cache connect, send or receive opera-
+ Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per read or write system call, to a time limit to
- send or receive a complete record (an SMTP command line, SMTP
- response line, SMTP message content line, or TLS protocol mes-
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per read or write system call, to a time limit to
+ send or receive a complete record (an SMTP command line, SMTP
+ response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
- When SMTP connection caching is enabled, the number of times
- that an SMTP session may be reused before it is closed, or zero
+ When SMTP connection caching is enabled, the number of times
+ that an SMTP session may be reused before it is closed, or zero
(no limit).
Available in Postfix version 3.4 and later:
Available in Postfix version 3.7 and later:
<b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per plaintext or TLS read or write call, to a com-
- bined time limit for sending a complete SMTP request and for
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per plaintext or TLS read or write call, to a com-
+ bined time limit for sending a complete SMTP request and for
receiving a complete SMTP response.
<b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
- The minimum plaintext data transfer rate in bytes/second for
+ The minimum plaintext data transfer rate in bytes/second for
DATA requests, when deadlines are enabled with
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
<b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
- A
transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+ A
transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
- <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>
parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
+ <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>
parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
- Enable preliminary SMTPUTF8 support for the protocols described
+ Enable preliminary SMTPUTF8 support for the protocols described
in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
- Detect that a message requires SMTPUTF8 support for the speci-
+ Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
- Enable 'transitional' compatibility between IDNA2003 and
- IDNA2008, when converting UTF-8 domain names to/from the ASCII
+ Enable 'transitional' compatibility between IDNA2003 and
+ IDNA2008, when converting UTF-8 domain names to/from the ASCII
form that is used for DNS lookups.
<b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
- The increment in verbose logging level when a nexthop destina-
- tion, remote client or server name or network address matches a
+ The increment in verbose logging level when a nexthop destina-
+ tion, remote client or server name or network address matches a
pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
- Optional list of nexthop destination, remote client or server
- name or network address patterns that, if matched, cause the
- verbose logging level to increase by the amount specified in
+ Optional list of nexthop destination, remote client or server
+ name or network address patterns that, if matched, cause the
+ verbose logging level to increase by the amount specified in
$<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications about mail delivery
+ The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
- What categories of Postfix-generated mail are subject to
- before-queue
content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+ What categories of Postfix-generated mail are subject to
+ before-queue
content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
<b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
- Where the Postfix SMTP client should deliver mail when it
+ Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to handle a
+ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
- The maximal number of digits after the decimal point when log-
+ The maximal number of digits after the decimal point when log-
ging delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
- The local network interface addresses that this mail system
+ The local network interface addresses that this mail system
receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
- The Internet protocols Postfix will attempt to use when making
+ The Internet protocols Postfix will attempt to use when making
or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
- The time limit for sending or receiving information over an
+ The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
- When a remote LMTP server announces no DSN support, assume that
- the server performs final delivery, and send "delivered" deliv-
+ When a remote LMTP server announces no DSN support, assume that
+ the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix daemon process
+ The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
- The remote network interface addresses that this mail system
- receives mail on by way of a proxy or network address transla-
+ The remote network interface addresses that this mail system
+ receives mail on by way of a proxy or network address transla-
tion unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
- client will try first, when a destination has IPv6 and IPv4
+ client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
- An optional numerical network address that the Postfix SMTP
+ An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
- An optional numerical network address that the Postfix SMTP
+ An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available with Postfix 2.2 and earlier:
Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
- Optional list of relay destinations that will be used when an
- SMTP destination is not found, or when delivery fails due to a
+ Optional list of relay destinations that will be used when an
+ SMTP destination is not found, or when delivery fails due to a
non-permanent error.
Available with Postfix 3.0 and later:
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
- In the context of email address verification, the SMTP protocol
+ In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable.
Available with Postfix 3.1 and later:
Available in Postfix 3.7 and later:
<b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
- Defer delivery when the Postfix SMTP client cannot apply the
+ Defer delivery when the Postfix SMTP client cannot apply the
<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
<b><a name="see_also">SEE ALSO</a></b>
.PP
.nf
.na
-# Distinguish inbound MTA logging from submission and smtps logging.
+# Distinguish inbound MTA logging from submission and submissions logging.
smtp inet n \- n \- \- smtpd
submission inet n \- n \- \- smtpd
\-o syslog_name=postfix/$service_name
-smtps inet n \- n \- \- smtpd
+submissions inet n \- n \- \- smtpd
\-o syslog_name=postfix/$service_name
.fi
.ad
TLS connection reuse" for background details.
.PP
This feature is available in Postfix 3.4 and later.
-.SH smtp_tls_dane_insecure_mx_policy (default: see "postconf \-d" output)
+.SH smtp_tls_dane_insecure_mx_policy (default: dane)
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is \fBdane\fR, but the MX
record was found via an "insecure" MX lookup. The choices are:
"Verified", because the MX host name could have been forged.
.br
.br
-The default setting for Postfix >= 3.6 is "dane" with
-"smtp_tls_security_level = dane", otherwise "may". This behavior
-was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
-With earlier Postfix versions the default setting was always "dane".
+The default setting is "dane" as of Postfix versions 3.6.17,
+3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
+was mistakenly dependent on the smtp_tls_security_level setting.
.PP
Though with "insecure" MX records an active attacker can
compromise SMTP transport security by returning forged MX records,
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_wrappermode (default: no)
Request that the Postfix SMTP client connects using the
-SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command.
+SUBMISSIONS (formerly called SMTPS) protocol instead of using the
+STARTTLS command.
.PP
This mode requires "smtp_tls_security_level = encrypt" or
stronger.
.PP
-Example: deliver all remote mail via a provider's server
-"mail.example.com".
+Example: deliver all remote mail via a provider's submissions
+service at "mail.example.com".
.PP
.nf
.na
/etc/postfix/main.cf:
- # Client\-side SMTPS requires "encrypt" or stronger.
+ # Client\-side SUBMISSIONS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
- relayhost = [mail.example.com]:465
+ relayhost = [mail.example.com]:submissions
.fi
.ad
.PP
.in +4
Note: to enforce that the From: header address
matches the envelope sender (MAIL FROM) address, use an external
-filter such as a Milter, for the submission, submissions, or smtps
+filter such as a Milter, for the submission or submissions (formerly
+called smtps )
services. For example: https://github.com/magcks/milterfrom.
.in -4
.PP
.br
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
-for the submission, submissions, or smtps services. For example:
-https://github.com/magcks/milterfrom.
+for the submission or submissions (formerly called smtps) services.
+For example: https://github.com/magcks/milterfrom.
.br
This feature is available in Postfix version 2.1 and later.
.br
.br
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
-for the submission, submissions, or smtps services. For example:
-https://github.com/magcks/milterfrom.
+for the submission or submissions (formerly called smtps) services.
+For example: https://github.com/magcks/milterfrom.
.br
This feature is available in Postfix version 2.11 and later.
.br
.br
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
-for the submission, submissions, or smtps services. For example:
-https://github.com/magcks/milterfrom.
+for the submission or submissions (formerly called smtps) services.
+For example: https://github.com/magcks/milterfrom.
.br
This feature is available in Postfix version 2.1 and later.
.br
this parameter is always ignored, and Postfix behaves as though the
\fBauto\fR value (described below) was chosen.
.PP
+This feature is not used as of Postfix 3.6. Do not specify.
+.PP
The available choices are:
.IP "\fBauto\fR"
Use the most preferred curve that is
.PP
If you want to support this service, enable a special port in
master.cf, and specify "\-o smtpd_tls_wrappermode=yes" on the SMTP
-server's command line. Port 465 (submissions/smtps) is reserved for
-this purpose.
+server's command line. Port 465 (submissions, formerly called smtps)
+is reserved for this purpose.
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_upstream_proxy_protocol (default: empty)
.ad
.in -4
.PP
+Example: Custom OpenSSL group settings.
+.PP
+.nf
+.na
+main.cf:
+ tls_config_file = ${config_directory}/openssl.cnf
+ tls_config_name = postfix
+.fi
+.ad
+.PP
+.nf
+.na
+openssl.cnf:
+ postfix = postfix_settings
+.fi
+.ad
+.PP
+.nf
+.na
+ [postfix_settings]
+ ssl_conf = postfix_ssl_settings
+.fi
+.ad
+.PP
+.nf
+.na
+ [postfix_ssl_settings]
+ system_default = baseline_postfix_settings
+.fi
+.ad
+.PP
+.nf
+.na
+ [baseline_postfix_settings]
+ # New OpenSSL 3.5 syntax, for older releases consider
+ # the Postfix default:
+ #
+ # Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
+ #
+ Groups = *X25519MLKEM768 / *X25519:X448 / P\-256:P\-384
+.fi
+.ad
+.PP
+Caution: It is typically best to just use the default group
+settings, for which no $tls_config_file is required (you can set
+"tls_config_file = none", to avoid unwanted leakage of system\-wide
+settings that strive to harden HTTPS against mostly browser\-specific
+security and privacy issues into Postfix use of opportunistic TLS,
+where they're they can be counterproductive, leading to downgrades
+to cleartext, rather than more "secure" TLS).
+.PP
This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20.
.SH tls_config_name (default: empty)
This feature is available in Postfix 2.8 and later.
.SH tls_eecdh_auto_curves (default: see "postconf \-d" output)
The prioritized list of elliptic curves, that should be enabled in the
-Postfix SMTP client and server. These are used by the Postfix SMTP server when
-"smtpd_tls_eecdh_grade = auto". The selected curves should be implemented
+Postfix SMTP client and server. The selected curves should be implemented
by OpenSSL and be standardized for use in the TLS "supported groups" extension
(RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and
"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P\-256"). The default
customizing the list of FFDHE groups enabled with TLS 1.3. That setting
is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.
.PP
+Post\-quantum cryptography support: OpenSSL 3.5 introduces new
+configuration syntax that Postfix will not attempt to imitate.
+Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
+both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
+to the empty value, to enable algorithm selection through OpenSSL
+configuration. See tls_config_file for a configuration example.
+.PP
This feature is available in Postfix 3.2 and later, when it is
compiled and linked with OpenSSL 1.0.2 or later on platforms where
EC algorithms have not been disabled by the vendor.
is unwise to choose only "bleeding\-edge" curves supported by only a
small subset of clients.
.PP
+This feature is not used as of Postfix 3.6. Do not specify.
+.PP
The default "strong" curve is rated in NSA Suite
B for information classified up to SECRET.
.PP
to take place. It is unwise to choose only "bleeding\-edge" curves
supported by only a small subset of clients.
.PP
+This feature is not used as of Postfix 3.6. Do not specify.
+.PP
This default "ultra" curve is rated in NSA Suite
B for information classified up to TOP SECRET.
.PP
on whether any of the "kDHE" ciphers are included in the cipherlist.
.PP
Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3
-EC key agreement in OpenSSL 3.0 and later. Note that at least one of
-"tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" must be non\-empty,
-this is required by OpenSSL 3.0. If both are inadvertently set empty,
-Postfix will fall back to the compiled\-in defaults.
+EC key agreement in OpenSSL 3.0 and later. If both are set empty,
+Postfix will fall back to OpenSSL preferences as described next.
+.PP
+Post\-quantum cryptography support: OpenSSL 3.5 introduces new
+configuration syntax that Postfix will not attempt to imitate.
+Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
+both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty
+value, to enable algorithm selection through OpenSSL configuration.
+See tls_config_file for a configuration example.
.PP
All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
elliptic\-curve Diffie\-Hellman (EECDH) key exchange. See
smtpd_tls_eecdh_grade for further details.
.PP
-This feature is deprecated as of Postfix 3.9. Do not specify.
+This feature is not used as of Postfix 3.6. Do not specify.
.PP
This feature is available in Postfix 2.8 and later.
.SH tlsproxy_tls_enable_rpk (default: $smtpd_tls_enable_rpk)
.PP
Specify zero or more service names separated by comma and/or
whitespace. Any name in the \fBservices\fR(5) database may be specified,
-though in practice only submission, submissions, and smtp make
-sense.
+though in practice only submission or submissions (formerly called
+smtp) make sense.
.PP
When SRV record lookup is enabled with use_srv_lookup, you can
enclose a domain name in "[]" to force IP address lookup instead
Available in Postfix version 3.0 and later:
.IP "\fBsmtp_tls_wrappermode (no)\fR"
Request that the Postfix SMTP client connects using the
-SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command.
+SUBMISSIONS (formerly called SMTPS) protocol instead of using the
+STARTTLS command.
.PP
Available in Postfix version 3.1 and later:
-.IP "\fBsmtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)\fR"
+.IP "\fBsmtp_tls_dane_insecure_mx_policy (dane)\fR"
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is \fBdane\fR, but the MX
record was found via an "insecure" MX lookup.
built-in DANE), and domains with MTA-STS. </p>
<li> <p> <a href="https://github.com/Snawoot/postfix-mta-sts-resolver">
-postfix-mta-sts-resolver</a>, supports domains with MTA-STS. </p>
+postfix-mta-sts-resolver</a>, supports domains with MTA-STS as of
+release 1.5.0 (February 2025). </p>
</ul>
<p> It is strictly discouraged to use this mode from main.cf. If
you want to support this service, enable a special port in master.cf
and specify "-o smtpd_tls_wrappermode=yes" (note: no space around
-the "=") as an smtpd(8) command line option. Port 465 (smtps) was
-once chosen for this feature.
+the "=") as an smtpd(8) command line option. Port 465 (submissions,
+formerly called smtps) is the most common example.
</p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/master.cf:
- smtps inet n - n - - smtpd
+ submissions inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
</pre>
</blockquote>
<li> <a href="#client_cipher">Client-side cipher controls </a>
-<li> <a href="#client_smtps">Client-side SMTPS support </a>
+<li> <a href="#client_smtps">Client-side submissions (formerly called smtps) support </a>
<li> <a href="#client_misc"> Miscellaneous client controls </a>
</pre>
</blockquote>
-<h3> <a name="client_smtps">Client-side SMTPS support </a> </h3>
+<h3> <a name="client_smtps">Client-side submissions (formerly called smtps) support </a> </h3>
<p> These sections show how to send mail to a server that does not
-support STARTTLS, but that provides the SMTPS service
+support STARTTLS, but that provides the submissions (smtps) service
on TCP port 465. Depending on the Postfix version, some additional
tooling may be required. </p>
<h4> Postfix ≥ 3.0 </h4>
-<p> The Postfix SMTP client has SMTPS support built-in as of version
+<p> The Postfix SMTP client has submissions service support built-in
+as of version
3.0. Use one of the following examples, to send all remote mail,
-or to send only some remote mail, to an SMTPS server. </p>
+or to send only some remote mail, to a submissions (smtps) server. </p>
-<h5> Postfix ≥ 3.0: Sending all remote mail to an SMTPS server </h5>
+<h5> Postfix ≥ 3.0: Sending all remote mail to a submissions (formerly called smtps) server </h5>
-<p> The first example will send all remote mail over SMTPS through
-a provider's server called "mail.example.com": </p>
+<p> The first example will send all remote mail to through a
+provider's submissions server called "mail.example.com": </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- # Client-side SMTPS requires "encrypt" or stronger.
+ # Client-side submissions requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
- relayhost = [mail.example.com]:465
+ relayhost = [mail.example.com]:submissions
</pre>
</blockquote>
</p>
<h5> Postfix ≥ 3.0: Sending only mail for a specific destination
-via SMTPS </h5>
+to a submissions (formerly called smtps) service </h5>
-<p> The second example will send only mail for "example.com" via
-SMTPS. This time, Postfix uses a transport map to deliver only
-mail for "example.com" via SMTPS: </p>
+<p> The second example will send only mail for "example.com" using
+the submissions (smtps) service.
+This time, Postfix uses a transport map to deliver only
+mail for "example.com" using the submissions (smtps) service: </p>
<blockquote>
<pre>
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
- example.com relay-smtps:example.com:465
+ example.com relay-submissions:example.com:submissions
/etc/postfix/master.cf:
- relay-smtps unix - - n - - smtp
- # Client-side SMTPS requires "encrypt" or stronger.
+ relay-submissions unix - - n - - smtp
+ # Client-side submissions service requires "encrypt" or stronger.
-o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes
</pre>
<h4> Postfix < 3.0 </h4>
-<p> Although older Postfix SMTP client versions do not support TLS
-wrapper mode, it is relatively easy to forward a connection through
-the stunnel program if Postfix needs to deliver mail to some legacy
-system that doesn't support STARTTLS. </p>
-
-<h5> Postfix < 3.0: Sending all remote mail to an SMTPS server </h5>
-
-<p> The first example uses SMTPS to send all remote mail to a
-provider's mail server called "mail.example.com". </p>
-
-<p> A minimal stunnel.conf file is sufficient to set up a tunnel
-from local port 11125 to the remote destination "mail.example.com"
-and port "smtps". Postfix will later use this tunnel to connect to
-the remote server. </p>
-
-<blockquote>
-<pre>
-/path/to/stunnel.conf:
- [smtp-tls-wrapper]
- accept = 11125
- client = yes
- connect = mail.example.com:smtps
-</pre>
-</blockquote>
-
-<p> To test this tunnel, use: </p>
-
-<blockquote>
-<pre>
-$ telnet localhost 11125
-</pre>
-</blockquote>
-
-<p> This should produce the greeting from the remote SMTP server
-at mail.example.com. </p>
-
-<p> On the Postfix side, the relayhost feature sends all remote
-mail through the local stunnel listener on port 11125: </p>
-
-<blockquote>
-<pre>
-/etc/postfix/main.cf:
- relayhost = [127.0.0.1]:11125
-</pre>
-</blockquote>
-
-<p> Use "postfix reload" to make the change effective. </p>
-
-<p> See SOHO_README for additional information about SASL
-authentication. </p>
-
-<h4> Postfix < 3.0: Sending only mail for a specific destination via SMTPS </h4>
-
-<p> The second example will use SMTPS to send only mail for
-"example.com" via SMTPS. It uses the same stunnel configuration
-file as the first example, so it won't be repeated here. </p>
-
-<p> This time, the Postfix side uses a transport map to direct only
-mail for "example.com" through the tunnel: </p>
-
-<blockquote>
-<pre>
-/etc/postfix/main.cf:
- transport_maps = hash:/etc/postfix/transport
-
-/etc/postfix/transport:
- example.com relay:[127.0.0.1]:11125
-</pre>
-</blockquote>
-
-<p> Use "postmap hash:/etc/postfix/transport" and "postfix reload"
-to make the change effective. </p>
-
-<p> See SOHO_README for additional information about SASL authentication.
-</p>
+<p> Please see TLS_LEGACY_README. </p>
<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
defers delivery if no alternative server is available. </p>
<p> Example: </p>
-
+
<blockquote>
<pre>
/etc/postfix/main.cf:
an OpenSSL library that could be vulnerable. </p>
<p> Example: </p>
-
+
<blockquote>
<pre>
/etc/postfix/main.cf:
<blockquote> <p> Note: to enforce that the From: header address
matches the envelope sender (MAIL FROM) address, use an external
-filter such as a Milter, for the submission, submissions, or smtps
+filter such as a Milter, for the submission or submissions (formerly
+called smtps )
services. For example: https://github.com/magcks/milterfrom. </p>
</blockquote>
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
-for the submission, submissions, or smtps services. For example:
-https://github.com/magcks/milterfrom.
+for the submission or submissions (formerly called smtps) services.
+For example: https://github.com/magcks/milterfrom.
<br>
This feature is available in Postfix version 2.1 and later. </dd>
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
-for the submission, submissions, or smtps services. For example:
-https://github.com/magcks/milterfrom.
+for the submission or submissions (formerly called smtps) services.
+For example: https://github.com/magcks/milterfrom.
<br>
This feature is available in Postfix version 2.11 and later.</dd>
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
-for the submission, submissions, or smtps services. For example:
-https://github.com/magcks/milterfrom.
+for the submission or submissions (formerly called smtps) services.
+For example: https://github.com/magcks/milterfrom.
<br>
This feature is available in Postfix version 2.1 and later.</dd>
<p> Example master.cf entries: </p>
<pre>
-# Distinguish inbound MTA logging from submission and smtps logging.
+# Distinguish inbound MTA logging from submission and submissions logging.
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/$service_name
-smtps inet n - n - - smtpd
+submissions inet n - n - - smtpd
-o syslog_name=postfix/$service_name
</pre>
<p> If you want to support this service, enable a special port in
master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP
-server's command line. Port 465 (submissions/smtps) is reserved for
-this purpose. </p>
+server's command line. Port 465 (submissions, formerly called smtps)
+is reserved for this purpose. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
%PARAM tls_eecdh_auto_curves see "postconf -d" output
<p> The prioritized list of elliptic curves, that should be enabled in the
-Postfix SMTP client and server. These are used by the Postfix SMTP server when
-"smtpd_tls_eecdh_grade = auto". The selected curves should be implemented
+Postfix SMTP client and server. The selected curves should be implemented
by OpenSSL and be standardized for use in the TLS "supported groups" extension
(RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and
"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256"). The default
is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.
</p>
+<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
+configuration syntax that Postfix will not attempt to imitate.
+Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
+both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
+to the empty value, to enable algorithm selection through OpenSSL
+configuration. See tls_config_file for a configuration example.
+</p>
+
<p> This feature is available in Postfix 3.2 and later, when it is
compiled and linked with OpenSSL 1.0.2 or later on platforms where
EC algorithms have not been disabled by the vendor. </p>
</p>
<p> Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3
-EC key agreement in OpenSSL 3.0 and later. Note that at least one of
-"tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" must be non-empty,
-this is required by OpenSSL 3.0. If both are inadvertently set empty,
-Postfix will fall back to the compiled-in defaults. </p>
+EC key agreement in OpenSSL 3.0 and later. If both are set empty,
+Postfix will fall back to OpenSSL preferences as described next. </p>
+
+<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
+configuration syntax that Postfix will not attempt to imitate.
+Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
+both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty
+value, to enable algorithm selection through OpenSSL configuration.
+See tls_config_file for a configuration example. </p>
<p> All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
is unwise to choose only "bleeding-edge" curves supported by only a
small subset of clients. </p>
+<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
+
<p> The default "strong" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to SECRET. </p>
to take place. It is unwise to choose only "bleeding-edge" curves
supported by only a small subset of clients. </p>
+<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
+
<p> This default "ultra" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to TOP SECRET. </p>
<b>auto</b> value (described below) was chosen.
</p>
+<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
+
<p> The available choices are: </p>
<dl>
elliptic-curve Diffie-Hellman (EECDH) key exchange. See
smtpd_tls_eecdh_grade for further details. </p>
-<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p>
+<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> This feature is available in Postfix 2.8 and later. </p>
%PARAM smtp_tls_wrappermode no
<p> Request that the Postfix SMTP client connects using the
-SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. </p>
+SUBMISSIONS (formerly called SMTPS) protocol instead of using the
+STARTTLS command. </p>
<p> This mode requires "smtp_tls_security_level = encrypt" or
stronger. </p>
-<p> Example: deliver all remote mail via a provider's server
-"mail.example.com". </p>
+<p> Example: deliver all remote mail via a provider's submissions
+service at "mail.example.com". </p>
<pre>
/etc/postfix/main.cf:
- # Client-side SMTPS requires "encrypt" or stronger.
+ # Client-side SUBMISSIONS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
- relayhost = [mail.example.com]:465
+ relayhost = [mail.example.com]:submissions
</pre>
<p> More examples are in TLS_README, including examples for older
This feature is available in Postfix 3.1 and later.
</p>
-%PARAM smtp_tls_dane_insecure_mx_policy see "postconf -d" output
+%PARAM smtp_tls_dane_insecure_mx_policy dane
<p> The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX
"Verified", because the MX host name could have been forged. </dd>
</dl>
-<p> The default setting for Postfix ≥ 3.6 is "dane" with
-"smtp_tls_security_level = dane", otherwise "may". This behavior
-was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
-With earlier Postfix versions the default setting was always "dane".
+<p> The default setting is "dane" as of Postfix versions 3.6.17,
+3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
+was mistakenly dependent on the smtp_tls_security_level setting.
</p>
<p> Though with "insecure" MX records an active attacker can
<p> Specify zero or more service names separated by comma and/or
whitespace. Any name in the services(5) database may be specified,
-though in practice only submission, submissions, and smtp make
-sense. </p>
+though in practice only submission or submissions (formerly called
+smtp) make sense. </p>
<p> When SRV record lookup is enabled with use_srv_lookup, you can
enclose a domain name in "[]" to force IP address lookup instead
</pre>
</blockquote>
+<p> Example: Custom OpenSSL group settings. </p>
+
+<pre>
+main.cf:
+ tls_config_file = ${config_directory}/openssl.cnf
+ tls_config_name = postfix
+</pre>
+
+<pre>
+openssl.cnf:
+ postfix = postfix_settings
+</pre>
+
+<pre>
+ [postfix_settings]
+ ssl_conf = postfix_ssl_settings
+</pre>
+
+<pre>
+ [postfix_ssl_settings]
+ system_default = baseline_postfix_settings
+</pre>
+
+<pre>
+ [baseline_postfix_settings]
+ # New OpenSSL 3.5 syntax, for older releases consider
+ # the Postfix default:
+ #
+ # Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
+ #
+ Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
+</pre>
+
+<p> Caution: It is typically best to just use the default group
+settings, for which no $tls_config_file is required (you can set
+"tls_config_file = none", to avoid unwanted leakage of system-wide
+settings that strive to harden HTTPS against mostly browser-specific
+security and privacy issues into Postfix use of opportunistic TLS,
+where they're they can be counterproductive, leading to downgrades
+to cleartext, rather than more "secure" TLS). </p>
+
<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
URI
URIs
bugfix
+MLKEM
+cleartext
cleanup cleanup_message c smtp smtp c smtp smtp_connect c
Documentation edited for clarity Files pipe pipe c
global mail_params h smtpd smtpd c
+ global mail_params h proto postconf proto smtp smtp c
+ proto postconf proto proto TLS_README html
/* SMTP only */
#define VAR_SMTP_TLS_INSECURE_MX_POLICY "smtp_tls_dane_insecure_mx_policy"
-#define DEF_SMTP_TLS_INSECURE_MX_POLICY "${{$smtp_tls_security_level} == {dane} ? {dane} : {may}}"
+#define DEF_SMTP_TLS_INSECURE_MX_POLICY "dane"
extern char *var_smtp_tls_insecure_mx_policy;
/*
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20250207"
+#define MAIL_RELEASE_DATE "20250215"
#define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT
/* Available in Postfix version 3.0 and later:
/* .IP "\fBsmtp_tls_wrappermode (no)\fR"
/* Request that the Postfix SMTP client connects using the
-/* SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command.
+/* SUBMISSIONS (formerly called SMTPS) protocol instead of using the
+/* STARTTLS command.
/* .PP
/* Available in Postfix version 3.1 and later:
-/* .IP "\fBsmtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)\fR"
+/* .IP "\fBsmtp_tls_dane_insecure_mx_policy (dane)\fR"
/* The TLS policy for MX hosts with "secure" TLSA records when the
/* nexthop destination security level is \fBdane\fR, but the MX
/* record was found via an "insecure" MX lookup.
void tls_auto_groups(SSL_CTX *ctx, const char *eecdh, const char *ffdhe)
{
-#ifndef OPENSSL_NO_ECDH
char *def_eecdh = DEF_TLS_EECDH_AUTO;
#if OPENSSL_VERSION_PREREQ(3, 0)
#endif
const char *origin;
+ /* Use OpenSSL defaults */
+ if (!*eecdh && !*ffdhe)
+ return;
+
/*
* Try the user-specified list first. If that fails (empty list or no
* known group name), try again with the Postfix defaults. We assume that
return;
}
}
-#endif
}
#ifdef TEST
VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_ignored, 0, 0,
VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 0, 0,
- VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 1, 0,
- VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0,
+ VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 0, 0,
+ VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 0, 0,
VAR_TLS_FFDHE_AUTO, DEF_TLS_FFDHE_AUTO, &var_tls_ffdhe_auto, 0, 0,
VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0,
VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0,
break;
#endif
}
- EVP_PKEY_free(dh_pkey);
}
+ if (kex_name) {
+ TLScontext->kex_name = mystrdup(kex_name);
+ TLScontext->kex_curve = kex_curve;
+ }
+ /* Not a problem if NULL */
+ EVP_PKEY_free(dh_pkey);
+
+ /* Resumption makes no use of signature keys or digests */
+ if (TLScontext->session_reused)
+ return;
/*
* On the client end, the certificate may be present, but not used, so we
* the more familiar name. For "RSA" keys report "RSA-PSS", which
* must be used with TLS 1.3.
*/
- if ((nid = EVP_PKEY_type(EVP_PKEY_id(local_pkey))) != NID_undef) {
+ if ((nid = EVP_PKEY_id(local_pkey)) != NID_undef) {
switch (nid) {
default:
- locl_sig_name = OBJ_nid2sn(nid);
+ if ((nid = EVP_PKEY_type(nid)) != NID_undef)
+ locl_sig_name = OBJ_nid2sn(nid);
break;
+#if defined(EVP_PKEY_KEYMGMT)
+ case EVP_PKEY_KEYMGMT:
+ locl_sig_name = EVP_PKEY_get0_type_name(local_pkey);
+ break;
+#endif
+
case EVP_PKEY_RSA:
/* For RSA, TLS 1.3 mandates PSS signatures */
locl_sig_name = "RSA-PSS";
*/
if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
locl_sig_dgst = OBJ_nid2sn(nid);
+
+ if (locl_sig_name) {
+ SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
+ SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve;
+ if (locl_sig_dgst)
+ SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
+ }
}
peer_cert = TLS_PEEK_PEER_CERT(ssl);
if (peer_cert != 0) {
* the more familiar name. For "RSA" keys report "RSA-PSS", which
* must be used with TLS 1.3.
*/
- if ((nid = EVP_PKEY_type(EVP_PKEY_id(peer_pkey))) != NID_undef) {
+ if ((nid = EVP_PKEY_id(peer_pkey)) != NID_undef) {
switch (nid) {
default:
- peer_sig_name = OBJ_nid2sn(nid);
+ if ((nid = EVP_PKEY_type(nid)) != NID_undef)
+ peer_sig_name = OBJ_nid2sn(nid);
break;
+#if defined(EVP_PKEY_KEYMGMT)
+ case EVP_PKEY_KEYMGMT:
+ peer_sig_name = EVP_PKEY_get0_type_name(peer_pkey);
+ break;
+#endif
+
case EVP_PKEY_RSA:
/* For RSA, TLS 1.3 mandates PSS signatures */
peer_sig_name = "RSA-PSS";
if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
peer_sig_dgst = OBJ_nid2sn(nid);
+ if (peer_sig_name) {
+ SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
+ SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve;
+ if (peer_sig_dgst)
+ SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
+ }
}
TLS_FREE_PEER_CERT(peer_cert);
-
- if (kex_name) {
- TLScontext->kex_name = mystrdup(kex_name);
- TLScontext->kex_curve = kex_curve;
- }
- if (locl_sig_name) {
- SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
- SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve;
- if (locl_sig_dgst)
- SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
- }
- if (peer_sig_name) {
- SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
- SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve;
- if (peer_sig_dgst)
- SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
- }
}
/* tls_log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */
projects / thirdparty / postfix.git / commitdiff
