plaintext after an opportunistic TLS handshake fails. Specify
"smtp_sasl_auth_enforce = no" to deliver mail anyway.
+20060709
+
+ Cleanup: the new single smtpd_tls_security_level parameter
+ obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
+ parameters. This is done for consistency with the Postfix
+ SMTP client. In the Postfix SMTP server, the levels "verify"
+ and "secure" are currently not applicable, and are treated
+ as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
+ tls/tls_level.c, smtp/smtp_session.c.
+
+ Compatibility: don't send the first body line to Milter
+ applications. This also broke domain key etc. signatures
+ when verified by non-Postfix MTAs. File: milter/milter8.c.
+
Wish list:
The usage of TLScontext->cache_type is unclear. It specifies
OSF1.V3 - OSF1.V5 (Digital UNIX)
Reliant UNIX 5.x
Rhapsody 5.x
- SunOS 4.1.4 (December 2005)
+ SunOS 4.1.4 (July 2006)
SunOS 5.4 - 5.9 (Solaris 2.4..9)
Ultrix 4.x (well, that was long ago)
failure, the server will be unable to receive email from most TLS enabled
clients. To avoid accidental configurations with no certificates, Postfix 2.3
enables certificate-less operation only when the administrator explicitly sets
-"smtpd_tls_cert_file = none". This ensures that new Postfix configurations with
-just "smtpd_use_tls = yes" added, will not accidentally run with no
-certificates.
+"smtpd_tls_cert_file = none". This ensures that new Postfix configurations will
+not accidentally run with no certificates.
Both RSA and DSA certificates are supported. Typically you will only have RSA
certificates issued by a commercial CA. In addition, the tools supplied with
E\bEn\bna\bab\bbl\bli\bin\bng\bg T\bTL\bLS\bS i\bin\bn t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bP s\bse\ber\brv\bve\ber\br
By default, TLS is disabled in the Postfix SMTP server, so no difference to
-plain Postfix is visible. Explicitly switch it on using "smtpd_use_tls = yes".
+plain Postfix is visible. Explicitly switch it on with
+"smtpd_tls_security_level = may" (Postfix 2.3 and later) or
+"smtpd_use_tls = yes" (obsolete but still supported).
Example:
/etc/postfix/main.cf:
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
smtpd_use_tls = yes
With this, Postfix SMTP server announces STARTTLS support to SMTP clients, but
You can ENFORCE the use of TLS, so that the Postfix SMTP server announces
STARTTLS and accepts no mail without TLS encryption, by setting
-"smtpd_enforce_tls = yes". According to RFC 2487 this MUST NOT be applied in
-case of a publicly-referenced Postfix SMTP server. This option is off by
-default and should only seldom be used.
+"smtpd_tls_security_level = encrypt" (Postfix 2.3 and later) or
+"smtpd_enforce_tls = yes" (obsolete but still supported). According to RFC 2487
+this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server.
+This option is off by default and should only seldom be used.
Example:
/etc/postfix/main.cf:
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
smtpd_enforce_tls = yes
TLS is sometimes used in the non-standard "wrapper" mode where a server always
Example:
/etc/postfix/main.cf:
- smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
+ smtpd_use_tls = yes
When TLS is enforced you may also decide to REQUIRE a remote SMTP client
certificate for all TLS connections, by setting "smtpd_tls_req_ccert = yes".
Example:
/etc/postfix/main.cf:
- smtpd_enforce_tls = yes
smtpd_tls_req_ccert = yes
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
+ smtpd_enforce_tls = yes
A client certificate verification depth of 1 is sufficient if the certificate
is directly issued by a CA listed in the CA file. The default value (5) should
S\bSu\bup\bpp\bpo\bor\brt\bti\bin\bng\bg A\bAU\bUT\bTH\bH o\bov\bve\ber\br T\bTL\bLS\bS o\bon\bnl\bly\by
Sending AUTH data over an unencrypted channel poses a security risk. When TLS
-layer encryption is required (smtpd_enforce_tls = yes), the Postfix SMTP server
-will announce and accept AUTH only after the TLS layer has been activated with
-STARTTLS. When TLS layer encryption is optional (smtpd_enforce_tls = no), it
-may however still be useful to only offer AUTH when TLS is active. To maintain
-compatibility with non-TLS clients, the default is to accept AUTH without
-encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".
+layer encryption is required ("smtpd_tls_security_level = encrypt" or the
+obsolete "smtpd_enforce_tls = yes"), the Postfix SMTP server will announce and
+accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS
+layer encryption is optional ("smtpd_tls_security_level = may" or the obsolete
+"smtpd_enforce_tls = no"), it may however still be useful to only offer AUTH
+when TLS is active. To maintain compatibility with non-TLS clients, the default
+is to accept AUTH without encryption. In order to change this behavior, set
+"smtpd_tls_auth_only = yes".
Example:
Example: (MSA that requires TLS with reasonably secure ciphers)
/etc/postfix/main.cf:
- smtpd_use_tls = yes
- smtpd_enforce_tls = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, MD5
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
+ smtpd_enforce_tls = yes
If you want to take advantage of ciphers with EDH, DH parameters are needed.
Instead of using the built-in DH parameters for both 1024bit and 512bit, it is
M\bMa\ban\bnd\bda\bat\bto\bor\bry\by s\bse\ber\brv\bve\ber\br c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be v\bve\ber\bri\bif\bfi\bic\bca\bat\bti\bio\bon\bn
At the "verify" TLS security level, messages are sent only over TLS encrypted
-sessions for which server certificate verification succeeds. If no suitable
-servers are found, the message will be deferred. With Postfix 2.3 and later,
-mandatory server certificate verification can be configured by setting
-"smtp_tls_security_level = verify", the smtp_tls_verify_cert_match parameter
-can override the default "hostname" certificate match strategy. Fine-tuning the
-matching strategy is generally only appropriate for secure-channel
-destinations.
+sessions if the server certificate is valid (not expired or revoked, and signed
+by a trusted certificate authority) and if the server certificate name matches
+a known pattern. Mandatory server certificate verification can be configured by
+setting "smtp_tls_security_level = verify". The smtp_tls_verify_cert_match
+parameter can override the default "hostname" certificate name matching
+strategy. Fine-tuning the matching strategy is generally only appropriate for
+secure-channel destinations.
With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its
default (backwards compatible) empty value, the appropriate configuration
m\bma\bay\by
Opportunistic TLS. No additional attributes are supported at this level.
e\ben\bnc\bcr\bry\byp\bpt\bt
- Mandatory TLS encryption. At this level and higher the optional "ciphers"
- attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter and
- the optional "protocols" keyword overrides the main.cf
- smtp_tls_mandatory_protocols parameter. In the policy table, multiple
- protocols must be separated by colons, as attribute values may not contain
- whitespace or commas.
+ Mandatory TLS encryption. Mail is delivered only if remote SMTP server
+ offers STARTTLS and the TLS handshake succeeds. At this level and higher
+ the optional "ciphers" attribute overrides the main.cf
+ smtp_tls_mandatory_ciphers parameter and the optional "protocols" keyword
+ overrides the main.cf smtp_tls_mandatory_protocols parameter.
v\bve\ber\bri\bif\bfy\by
- Mandatory server certificate verification. The optional "match" attribute
- overrides the main.cf smtp_tls_verify_cert_match parameter. In the policy
- table, multiple match patterns and strategies must be separated by colons.
+ Mandatory server certificate verification. Mail is delivered only if the
+ TLS handshake succeeds, if the server certificate can be validated (not
+ expired or revoked, and signed by a trusted certificate authority), and if
+ the server certificate name matches the optional "match" attribute (or the
+ main.cf smtp_tls_verify_cert_match parameter value when no optional "match"
+ attribute is specified).
s\bse\bec\bcu\bur\bre\be
- Secure-channel TLS. The optional "match" attribute overrides the main.cf
- smtp_tls_secure_cert_match parameter. In the policy table, multiple match
- patterns and strategies must be separated by colons. The match attribute is
- useful when additional domains are supported by common server, the policy
- entries for the additional domains specify matching rules for the primary
- domain certificate. While transport table overrides routing secondary
- domains to the primary nexthop also allow secure verification, they risk
- delivery to the wrong destination when domains change hands or are re-
- assigned to new gateways. With the "match" attribute approach, routing is
- not perturbed, and mail is deferred if verification of a new MX host fails.
+ Secure-channel TLS. Mail is delivered only if the TLS handshake succeeds,
+ if the server certificate can be validated (not expired or revoked, and
+ signed by a trusted certificate authority), and if the server certificate
+ name matches the optional "match" attribute (or the main.cf
+ smtp_tls_secure_cert_match parameter value when no optional "match"
+ attribute is specified).
+Notes:
+
+ * The "match" attribute is especially useful to verify TLS certificates for
+ domains that are hosted on a shared server. In that case, specify "match"
+ rules for the shared server's name. While secure verification can also be
+ achieved with manual routing overrides in Postfix transport(5) tables, that
+ approach can deliver mail to the wrong host when domains are assigned to
+ new gateway hosts. The "match" attribute approach avoids the problems of
+ manual routing overrides; mail is deferred if verification of a new MX host
+ fails.
+
+ * When a policy table entry specifies multiple match patterns, multiple match
+ strategies, or multiple protocols, these must be separated by colons.
+
Example:
/etc/postfix/main.cf:
certificate and key incorrectly, you will be unable to send mail to sites
that request client certificate, but don't require them from all clients.
- smtp_tls_CAfile = /etc/postfix/cacert.pem
- smtp_tls_session_cache_database =
- btree:/var/spool/postfix/smtp_tls_session_cache
- smtp_use_tls = yes
- smtpd_tls_CAfile = /etc/postfix/cacert.pem
- smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
- smtpd_tls_key_file = /etc/postfix/FOO-key.pem
- smtpd_tls_received_header = yes
- smtpd_tls_session_cache_database =
- btree:/var/spool/postfix/smtpd_tls_session_cache
- smtpd_use_tls = yes
- tls_random_source = dev:/dev/urandom
+ /etc/postfix/main.cf:
+ smtp_tls_CAfile = /etc/postfix/cacert.pem
+ smtp_tls_session_cache_database =
+ btree:/var/spool/postfix/smtp_tls_session_cache
+ smtp_use_tls = yes
+ smtpd_tls_CAfile = /etc/postfix/cacert.pem
+ smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
+ smtpd_tls_key_file = /etc/postfix/FOO-key.pem
+ smtpd_tls_received_header = yes
+ smtpd_tls_session_cache_database =
+ btree:/var/spool/postfix/smtpd_tls_session_cache
+ tls_random_source = dev:/dev/urandom
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
+ smtpd_use_tls = yes
R\bRe\bep\bpo\bor\brt\bti\bin\bng\bg p\bpr\bro\bob\bbl\ble\bem\bms\bs
Some Postfix internal protocols have changed. You need to "postfix
reload" or restart Postfix, otherwise many servers will log warning
-messages with "unexpected attribute" or "problem talking to service
-rewrite: Unknown error: 0", and mail will not be delivered.
+messages like "unexpected attribute xxx" or "problem talking to
+service yyy", and mail will not be delivered.
The Sendmail-compatible Milter support introduces three new queue
file record types. As long as you leave this feature turned off,
-you can still go back to Postfix version 2.2 without losing mail.
+you can still go back to Postfix version 2.2 without losing mail
+that was received by Postfix 2.3.
Major changes - DNS lookups
---------------------------
[Feature 20050615] DSN support as described in RFC 3461 .. RFC 3464.
This gives senders control over successful and failed delivery
-notifications. DSN involves extra parameters to the SMTP MAIL FROM
-and RCPT TO commands, as well as extra Postfix sendmail command
-line options for mail submission.
+notifications. DSN involves extra parameters to the SMTP "MAIL
+FROM" and "RCPT TO" commands, as well as extra Postfix sendmail
+command line options for mail submission.
-See DSN_README for details. Some implementation notes are in
-implementation-notes/DSN.
+See DSN_README for details. Some implementation notes can be found
+in implementation-notes/DSN.
[Incompat 20050615] The new DSN support conflicts with VERP support.
For Sendmail compatibility, Postfix now uses the sendmail -V command
-line option for DSN. In order to request VERP style delivery, you
-must now specify -XV instead of -V. The Postfix sendmail command
-will recognize if you try to use -V for VERP-style delivery. It
-will do the right thing and will remind you of the new syntax.
-
-[Incompat 20050828] When the cleanup server rejects the content or
-size of mail that was submitted with the Postfix sendmail command,
-that was forwarded with the local(8) delivery agent, or that was
-re-queued with "postsuper -r", Postfix no longer sends DSN SUCCESS
-notification after virtual alias expansions. Since all the recipients
-are reported as failed, the SUCCESS notification seems redundant.
+line option for DSN. To request VERP style delivery, you must now
+specify -XV instead of -V. The Postfix sendmail command will
+recognize if you try to use -V for VERP-style delivery. It will
+usually do the right thing, and remind you of the new syntax.
+
+[Incompat 20050828] Postfix no longer sends DSN SUCCESS notification
+after virtual alias expansions when the cleanup server rejects the
+content or size of mail that was submitted with the Postfix sendmail
+command, mail that was forwarded with the local(8) delivery agent,
+or mail that was re-queued with "postsuper -r". Since all the
+recipients are reported as failed, the SUCCESS notification seems
+redundant.
Major changes - LMTP client
---------------------------
[Feature 20051208] The SMTP client now implements the LMTP protocol.
Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent.
This means there are lot of new LMTP features, including support
-for TLS and for the shared connection cache.
+for TLS and for the shared connection cache. See the "SMTP client"
+section for details.
[Incompat 20051208] The LMTP client now reports the server as
"myhostname[/path/name]". With the real server hostname in delivery
See the MILTER_README document for a discussion of how to use Milter
support with Postfix, and limitations of the current implementation.
-[Incompat 20060515] Milter support introduces three new queue file
-record types. As long as you leave this feature turned off, you can
-still go back to Postfix version 2.2 without losing mail.
+The Sendmail-compatible Milter support introduces three new queue
+file record types. As long as you leave this feature turned off,
+you can still go back to Postfix version 2.2 without losing mail
+that was received by Postfix 2.3.
[Incompat 20060515] Milter support introduces new logfile event
types: milter-reject, milter-discard and milter-hold, that identify
Major changes - SASL authentication
-----------------------------------
-[Incompat 20060707] The SMTP/LMTP client now defers delivery when
-a SASL password exists but the server does not offer SASL authentication.
-Otherwise, the server could reject the mail. This may become an
-issue now that Postfix retries delivery in plaintext after an
-opportunistic TLS handshake fails. Specify "smtp_sasl_auth_enforce
-= no" to deliver mail anyway.
-
[Feature 20051220] Plug-in support for SASL authentication in the
SMTP server and in the SMTP/LMTP client. With this, Postfix can
support multiple SASL implementations without source code patches.
smtp_sender_dependent_authentication = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass
+[Incompat 20060707] The SMTP/LMTP client now defers delivery when
+a SASL password exists but the server does not announce support for
+SASL authentication. This can happen with servers that announce
+SASL support only when TLS is turned on. When an opportunistic TLS
+handshake fails, Postfix >= 2.3 retries delivery in plaintext, and
+the remote server rejects mail from the unauthenticated client.
+Specify "smtp_sasl_auth_enforce = no" to deliver mail anyway.
+
Major changes - SMTP client
---------------------------
client uses this setting only for SMTP deliveries. The old name
still works.
-[Feature 20051125] This snapshot adds support for sender-dependent
-ISP accounts.
-
-- Sender-dependent smarthost lookup tables. The maps are searched
- with the sender address and with the sender @domain. The result
- overrides the global relayhost setting, but otherwise has identical
- behavior. See the postconf(5) manual page for more details.
-
- Example:
- /etc/postfix/main.cf:
- sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
-
-- Sender-dependent SASL authentication support. This disables SMTP
- connection caching to ensure that mail from different senders
- will use the correct authentication credentials. The SMTP SASL
- password file is first searched by sender address, and then by
- the remote domain and hostname as usual.
-
- Example:
- /etc/postfix/main.cf:
- smtp_sasl_auth_enable = yes
- smtp_sender_dependent_authentication = yes
- smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass
-
[Incompat 20051106] The relay=... logging has changed and now
includes the remote SMTP server port number as hostname[hostaddr]:port.
See the "SASL authentication" and "TLS" sections for changes related
to SASL authentication and TLS support, respectively.
-[Feature 20051222] You can now use "resolve_numeric_domain = yes"
-to stop Postfix from rejecting user@ipaddress as an invalid
-destination. It will deliver the mail to user@[ipaddress] instead.
+[Feature 20051222] To accept the non-compliant user@ipaddress form,
+specify "resolve_numeric_domain = yes". Postfix will deliver the
+mail to user@[ipaddress] instead.
[Incompat 20051202] The Postfix SMTP server now refuses to receive
mail from the network if it isn't running with postfix mail_owner
[Incompat 20051121] Although the permit_mx_backup feature still
accepts mail for authorized destinations (see permit_mx_backup for
definition), with all other destinations it now requires that the
-local MTA is listed as non-primary MX. This prevents mail loop
-problems when someone points the primary MX record at a Postfix
-system.
-
-[Feature 20051011] Optional protection against SMTP clients that
-hammer the server with too many new (i.e. uncached) SMTP-over-TLS
-sessions. Cached sessions are much less expensive in terms of CPU
-cycles. Use the smtpd_client_new_tls_session_rate_limit parameter
-to specify a limit that is at least the inbound client concurrency
-limit, or else you may deny legitimate service requests.
+local MTA is listed as non-primary MX server. This prevents mail
+loop problems when someone points their primary MX record at a
+Postfix system.
[Feature 20051011] Optional suppression of remote SMTP client
hostname lookup and hostname verification. Specify "smtpd_peername_lookup
Major changes - TLS
-------------------
-[Feature 20060123] Postfix 2.3 provides a new per-site TLS policy
-mechanism that is more flexible and that eliminates DNS spoofing
-attacks more effectively. The legacy smtp_tls_per_site feature will
-be kept intact for a few releases so that sites can upgrade Postfix
-without being forced to use a different TLS policy mechanism.
-
-[Feature 20060614] New smtp_tls_security_level parameter obsoletes
-the smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
-parameters. The old parameters are still supported but will be
-removed in a future Postfix release.
+Major revisions were made to Postfix TLS support; see TLS_README
+for the details. For backwards compatibility, the old TLS policy
+user interface will be kept intact for a few releases so that sites
+can upgrade Postfix without being forced to use a different TLS
+policy mechanism.
+
+[Feature 20060614] New concept: TLS security levels ("none", "may",
+"encrypt", "verify" or "secure") in the Postfix SMTP client. You
+can specify the TLS security level via the smtp_tls_security_level
+parameter. This is more convenient than controlling TLS with the
+multiple smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername,
+parameters.
-[Feature 20060614] New smtpd_tls_protocols parameter complements
-the smtp_tls_mandatory_protocols parameter. This recommended for
-MSA configurations, not for MX for hosts that face the Internet.
+[Feature 20060709] TLS security levels ("none", "may", "encrypt")
+in the Postfix SMTP server. You specify the security level with the
+smtpd_tls_security_level parameter. This overrides the multiple
+smtpd_use_tls and smtpd_enforce_tls parameters. When a value of
+"verify" or "secure" is specified, the Postfix SMTP server logs a
+warning and uses "encrypt" instead.
-[Feature 20060626] Both the SMTP client and server can be configured
-without a client or server certificate. An SMTP server without
-certificate can use only anonymous ciphers, and will not inter-operate
-with most clients.
+[Feature 20060123] A new per-site TLS policy mechanism for the
+Postfix SMTP client that supports the new TLS security levels,
+and that eliminates DNS spoofing attacks more effectively.
-The SMTP server supports anonymous ciphers when client certificates
-are not requested or required, and the administrator has not excluded
-the "aNULL" OpenSSL cipher type with smtpd_tls_exclude_ciphers.
+[Feature 20060626] Both the Postfix SMTP client and server can be
+configured without a client or server certificate. An SMTP server
+without certificate can use only anonymous ciphers, and will not
+inter-operate with most clients.
-The SMTP client supports anonymous ciphers when no server certificate
-is required (notably Postfix 2.3 in "opportunistic" mode) and the
-administrator has not excluded the "aNULL" OpenSSL cipher type with
-smtp_tls_exclude_ciphers.
+The Postfix SMTP server supports anonymous ciphers when 1) no client
+certificates are requested or required, and 2) the administrator
+has not excluded the "aNULL" OpenSSL cipher type with the
+smtpd_tls_exclude_ciphers parameter.
-[Feature 20060626] You can specify cipher grades (instead of cipher
-names) with the smtp_tls_mandatory_ciphers, lmtp_tls_mandatory_ciphers
-and smtpd_tls_ciphers parameters. Specify one of "high", "medium",
-"low", "export" or "null". See TLS_README for details.
+The Postfix SMTP client supports anonymous ciphers when 1) no server
+certificate is required and 2) the administrator has not excluded
+the "aNULL" OpenSSL cipher type with the smtp_tls_exclude_ciphers
+parameter.
[Incompat 20060707] The SMTPD policy client now encodes the
ccert_subject and ccert_issuer attributes as xtext. Some characters
are represented by +XX, where XX is the two-digit hexadecimal
representation of the character value.
-[Incompat 20060614] The smtp_sasl_tls_verified_security_options
-feature is not yet complete, and will therefore not appear in the
-stable Postfix 2.3 release.
-
-[Incompat 20060614] New smtp_tls_mandatory_protocols feature used
-for mandatory TLS destinations. The default value is "SSLv3, TLSv1".
-SSLv2 is by default no longer used with mandatory TLS.
+[Feature 20060614] The smtpd_tls_protocols parameter restricts the
+list of TLS protocols supported by the SMTP server. This is
+recommended for use with MSA configurations only. It should not
+be used with MX hosts that receive mail from the Internet, as it
+reduces inter-operability.
[Incompat 20060614] The smtp_tls_cipherlist parameter only applies
when TLS is mandatory. It is ignored with opportunistic TLS sessions.
[Incompat 20060614] At (lmtp|smtp|smtpd)_tls_loglevel >= 2, Postfix
now also logs TLS session cache activity. Use level 2 and higher
-for debugging only, use levels 0 or 1 as production settings.
+for debugging only; use levels 0 or 1 as production settings.
[Incompat 20060207] The Postfix SMTP server no longer complains
when TLS support is not compiled in while permit_tls_clientcerts,
permit_tls_all_clientcerts, or check_ccert_access are specified in
main.cf. These features now are effectively ignored. However, the
reject_plaintext_session feature is not ignored and will reject
-mail.
+plain-text mail.
[Feature 20060123] Some obscure behavior was eliminated from the
smtp_tls_per_site feature, without changes to the user interface.
-Some Postfix internals had to be re-structured in preparation for
-a more general TLS policy mechanism; this required that smtp_tls_per_site
-be re-implemented from scratch. The obscure behavior was found
-during compatibility testing.
+Some Postfix internals had to be re-structured for the new TLS
+policy mechanism; for this, smtp_tls_per_site had to be re-implemented.
+The obscure behavior was found during compatibility testing.
[Feature 20051011] Optional protection against SMTP clients that
hammer the server with too many new (i.e. uncached) SMTP-over-TLS
greeting stage, immediately before the EHLO/HELO greeting. This
was needed to correctly simulate the effect of connection-level
access restrictions. Without this change, XCLIENT would not work
-with Milter applications.
+at all with Milter applications.
[Incompat 20060611] The SMTP server XCLIENT and XFORWARD commands
now expect that attributes are xtext encoded (RFC 1891). For backwards
compatibility they will also accept unencoded attribute values. The
XFORWARD client code in the SMTP client and in the SMTPD_PROXY
-client will always encode attribute values. This change will have
-effect only for malformed hostname and helo parameter values.
+client now always encode attribute values. This change will have a
+visible effect only for malformed hostname and helo parameter values.
For more details, see the XCLIENT_README and XFORWARD_README
documents.
that was developed by Nicolas Riendeau. The file with templates is
specified with the bounce_template_file parameter. Details are in
the bounce(5) manual page, and examples of the built-in templates
-can be found in a file bounce.cf.default in the Postfix configuration
-directory. The template for the default bounce message looks like
-this:
+can be found in $config_directory/bounce.cf.default. The template
+for the default bounce message looks like this:
failure_template = <<EOF
Charset: us-ascii
escape sequences: \a \b \f \n \r \t \v \ddd (up to three octal
digits) and \\.
-[Incompat 20050828] When a header/body_checks or message_reject_characters
-rule rejects mail that was submitted with the Postfix sendmail
-command (or re-queued with "postsuper -r"), the returned message
-is now limited to just the message headers, to avoid the risk of
-exposure to harmful content in the message body or attachments.
+[Incompat 20050828] When a header/body_checks rule or when
+message_reject_characters rejects mail that was submitted with the
+Postfix sendmail command (or re-queued with "postsuper -r"), the
+returned message is now limited to just the message headers, to
+avoid the risk of exposure to harmful content in the message body
+or attachments.
Major changes - database support
--------------------------------
agents now log the RFC 3463 enhanced status code as "dsn=x.y.z"
where y and z can be up to three digits each.
+[Incompat 20051208] The LMTP client now reports the server as
+"myhostname[/path/name]". With the real server hostname in delivery
+status reports, the information will be more useful.
+
Major changes - performance
---------------------------
+[Incompat 20051105] All delay logging now has sub-second resolution,
+including the over-all "delay=nnn" logging. A patch is available
+for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script
+has been updated (auxiliary/qshape/qshape.pl).
+
[Incompat 20050622] The Postfix SMTP client by default limits the
number of MX server addresses to smtp_mx_address_limit=5. Previously
this limit was disabled by default. The new limit prevents Postfix
that disable automatic argument type conversions. Examples of such
contexts are formatting with printf-like arguments, and invoking
functions that write Postfix request or reply attributes across
-inter-process communication channels. Unfortunately, gcc does not
-report "(unsigned) int" versus "(s)size_t" format string argument
-mis-matches on 32-bit systems; it reports them only on 64-bit
-systems.
+inter-process communication channels. Unfortunately, gcc reports
+"(unsigned) int" versus "(s)size_t" format string argument mis-matches
+only on LP64 systems.
Major changes - safety
----------------------
only the top-level alias should have an owner- alias, and none of
the subordinate aliases.
-[Incompat 20050828] When a header/body_checks or message_reject_characters
-rule rejects mail that was submitted with the Postfix sendmail
-command (or re-queued with "postsuper -r"), the returned message
-is now limited to just the message headers, to avoid the risk of
-exposure to harmful content in the message body or attachments.
+[Incompat 20050828] When a header/body_checks rule or when
+message_reject_characters rejects mail that was submitted with the
+Postfix sendmail command (or re-queued with "postsuper -r"), the
+returned message is now limited to just the message headers, to
+avoid the risk of exposure to harmful content in the message body
+or attachments.
[Incompat 20051202] The Postfix SMTP server now refuses to receive
mail from the network if it isn't running with postfix mail_owner
OSF1.V3 - OSF1.V5 (Digital UNIX) <br>
Reliant UNIX 5.x <br>
Rhapsody 5.x <br>
-SunOS 4.1.4 (December 2005) <br>
+SunOS 4.1.4 (July 2006) <br>
SunOS 5.4 - 5.9 (Solaris 2.4..9) <br>
Ultrix 4.x (well, that was long ago) <br>
</p>
<ul>
<li> <p> The non-interactive version ("make upgrade") needs the
-/etc/postfix/main.cf file from a previous installation. If the file
+/etc/postfix/<a href="postconf.5.html">main.cf</a> file from a previous installation. If the file
does not exist, use interactive installation ("make install")
instead. </p>
<li> <p> The interactive version offers suggestions for pathnames
that you can override interactively, and stores your preferences
-in /etc/postfix/main.cf for convenient future upgrades. </p>
+in /etc/postfix/<a href="postconf.5.html">main.cf</a> for convenient future upgrades. </p>
</ul>
href="#hamlet">To chroot or not to chroot</a>" text in section
11. </p>
-<p> You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf,
+<p> You MUST comment out the "smtp inet" entry in /etc/postfix/<a href="master.5.html">master.cf</a>,
in order to avoid conflicts with the real sendmail. Put a "#"
character in front of the line that defines the smtpd service: </p>
<blockquote>
<pre>
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
#smtp inet n - n - - smtpd
</pre>
</blockquote>
Postfix on a virtual interface address. Simply configure your mail
user agent to directly invoke the Postfix sendmail program. </p>
-<p> In the /etc/postfix/main.cf file, I would specify </p>
+<p> In the /etc/postfix/<a href="postconf.5.html">main.cf</a> file, I would specify </p>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#myhostname">myhostname</a> = virtual.host.tld
<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
<h3>10.1 - Postfix configuration files</h3>
<p> By default, Postfix configuration files are in /etc/postfix.
-The two most important files are main.cf and master.cf; these files
+The two most important files are <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a>; these files
must be owned by root. Giving someone else write permission to
-main.cf or master.cf (or to their parent directories) means giving
+<a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a> (or to their parent directories) means giving
root privileges to that person. </p>
-<p> In /etc/postfix/main.cf, you will have to set up a minimal number
+<p> In /etc/postfix/<a href="postconf.5.html">main.cf</a>, you will have to set up a minimal number
of configuration parameters. Postfix configuration parameters
resemble shell variables, with two important differences: the first
one is that Postfix does not know about quotes like the UNIX shell
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
parameter = value
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
other_parameter = $parameter
</pre>
</blockquote>
configuration language uses lazy evaluation, and does not look at
a parameter value until it is needed at runtime. </p>
-<p> Whenever you make a change to the main.cf or master.cf file,
+<p> Whenever you make a change to the <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a> file,
execute the following command in order to refresh a running mail
system: </p>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#myhostname">myhostname</a> (send mail as "user@$<a href="postconf.5.html#myhostname">myhostname</a>")
<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a> (send mail as "user@$<a href="postconf.5.html#mydomain">mydomain</a>")
</pre>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost, $<a href="postconf.5.html#mydomain">mydomain</a>
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4 (the proxy/NAT external network address)
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mynetworks">mynetworks</a> = 168.100.189.0/28, 127.0.0.0/8
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relay_domains">relay_domains</a> = (do not forward mail from strangers)
<a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydomain">mydomain</a> (my domain and subdomains)
<a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydomain">mydomain</a>, other.domain.tld, ...
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relayhost">relayhost</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.$<a href="postconf.5.html#mydomain">mydomain</a>]
</pre>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> = yes
</pre>
</blockquote>
<h2><a name="hamlet">11 - To chroot or not to chroot</a></h2>
-<p> Postfix daemon processes can be configured (via master.cf) to
+<p> Postfix daemon processes can be configured (via <a href="master.5.html">master.cf</a>) to
run in a chroot jail. The processes run at a fixed low privilege
and with access only to the Postfix queue directories (/var/spool/postfix).
This provides a significant barrier against intrusion. The barrier
porcupine.org mail server runs all daemons chrooted that can be
chrooted. </p>
-<p> The default /etc/postfix/master.cf file specifies that no
+<p> The default /etc/postfix/<a href="master.5.html">master.cf</a> file specifies that no
Postfix daemon runs chrooted. In order to enable chroot operation,
-edit the file /etc/postfix/master.cf. Instructions are in the file.
+edit the file /etc/postfix/<a href="master.5.html">master.cf</a>. Instructions are in the file.
</p>
<p> Note that a chrooted daemon resolves all filenames relative to
accidental configurations with no certificates, Postfix 2.3 enables
certificate-less operation only when the administrator explicitly sets
"<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This ensures that new Postfix
-configurations with just "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes" added, will
-not accidentally run with no certificates. </p>
+configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. Typically you will
only have RSA certificates issued by a commercial CA. In addition,
<p> By default, TLS is disabled in the Postfix SMTP server, so no
difference to plain Postfix is visible. Explicitly switch it on
-using "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes". </p>
+with "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may" (Postfix 2.3 and
+later) or "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes" (obsolete but still
+supported). </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
+ # Obsolete, but still supported
<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
</pre>
</blockquote>
is never offered due to insufficient privileges to access the server
private key. This is intended behavior. </p>
-<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>, so that
-the Postfix SMTP server announces STARTTLS and accepts no mail without
-TLS encryption, by setting "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes". According
-to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case of a publicly-referenced
-Postfix SMTP server. This option is off by default and should only
-seldom be used. </p>
+<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>,
+so that the Postfix SMTP server announces STARTTLS and accepts no
+mail without TLS encryption, by setting
+"<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt" (Postfix 2.3 and
+later) or "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes" (obsolete but still
+supported). According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case
+of a publicly-referenced Postfix SMTP server. This option is off
+by default and should only seldom be used. </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
+ # Obsolete, but still supported
<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
+ # Obsolete, but still supported
+ <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> = yes
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
+ # Obsolete, but still supported
+ <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
</pre>
</blockquote>
<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
-<p> Sending AUTH data over an unencrypted channel poses a security risk.
-When TLS layer encryption is required (<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes),
-the Postfix SMTP server will announce and accept AUTH only
-after the TLS layer has been activated with STARTTLS. When TLS
-layer encryption is optional (<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = no), it may
-however still be useful to only offer AUTH when TLS is active. To
-maintain compatibility with non-TLS clients, the default is to
-accept AUTH without encryption. In order to change this behavior,
-set "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
+<p> Sending AUTH data over an unencrypted channel poses a security
+risk. When TLS layer encryption is required
+("<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt" or the obsolete
+"<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes"), the Postfix SMTP server will
+announce and accept AUTH only after the TLS layer has been activated
+with STARTTLS. When TLS layer encryption is optional
+("<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may" or the obsolete
+"<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = no"), it may however still be useful
+to only offer AUTH when TLS is active. To maintain compatibility
+with non-TLS clients, the default is to accept AUTH without encryption.
+In order to change this behavior, set
+"<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
- <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/cert.pem
<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/key.pem
<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> = medium
<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL, MD5
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
+ # Obsolete, but still supported
+ <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
</pre>
</blockquote>
<p> At the "encrypt" TLS security level, messages are sent only
over TLS encrypted sessions. The SMTP transaction is aborted unless
-the STARTTLS ESMTP feature is supported by the server. If no
-suitable servers are found, the message will be deferred. With Postfix
-2.3 and later, mandatory TLS encryption can be configured by setting
-"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt". Even though TLS encryption
-is always used, mail delivery continues if the server certificate is
-untrusted or bears the wrong name. </p>
+the STARTTLS ESMTP feature is supported by the server. If no suitable
+servers are found, the message will be deferred. With Postfix 2.3
+and later, mandatory TLS encryption can be configured by setting
+"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt". Even though TLS
+encryption is always used, mail delivery continues if the server
+certificate is untrusted or bears the wrong name. </p>
<p> At this security level and higher, the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
and <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> configuration parameters determine
<h3><a name="client_tls_verify"> Mandatory server certificate verification </a>
</h3>
-<p> At the "verify" TLS security level, messages are sent only
-over TLS encrypted sessions for which server certificate verification
-succeeds. If no suitable servers are found, the message will be
-deferred. With Postfix 2.3 and later, mandatory server certificate
-verification can be configured by setting
-"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = verify", the
+<p> At the "verify" TLS security level, messages are sent only over
+TLS encrypted sessions if the server certificate is valid (not
+expired or revoked, and signed by a trusted certificate authority)
+and if the server certificate name matches a known pattern. Mandatory
+server certificate verification can be configured by setting
+"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = verify". The
<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter can override the default
-"hostname" certificate match strategy. Fine-tuning the matching
-strategy is generally only appropriate for <a
+"hostname" certificate name matching strategy. Fine-tuning the
+
matching strategy is generally only appropriate for <a
href="#client_tls_secure">secure-channel</a> destinations. </p>
<p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>
<dd>Opportunistic TLS. No additional attributes are supported at this
level. </dd>
-<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. At this level and
-higher the optional "ciphers" attribute overrides the <a href="postconf.5.html">main.cf</a>
-<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter and the optional "protocols"
-keyword overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter.
-In the policy table, multiple protocols must be separated by colons,
-as attribute values may not contain whitespace or commas.</dd>
-
-<dt><b>verify</b></dt>
-<dd>Mandatory server certificate verification. The optional "match"
-attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter.
-In the policy table, multiple match patterns and strategies must
-be separated by colons. </dd>
-
-<dt><b>secure</b></dt> <dd>Secure-channel TLS. The optional "match"
-attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter. In
-the policy table, multiple match patterns and strategies must be separated
-by colons. The match attribute is useful when additional domains are
-supported by common server, the policy entries for the additional domains
-specify matching rules for the primary domain certificate. While transport
-table overrides routing secondary domains to the primary nexthop also
-allow secure verification, they risk delivery to the wrong destination
-when domains change hands or are re-assigned to new gateways. With the
-"match" attribute approach, routing is not perturbed, and mail is deferred
-if verification of a new MX host fails. </dd>
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. Mail is
+delivered only if remote SMTP server offers STARTTLS and the TLS
+handshake succeeds. At this level and higher the optional "ciphers"
+attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter
+and the optional "protocols" keyword overrides the <a href="postconf.5.html">main.cf</a>
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter. </dd>
+
+<dt><b>verify</b></dt> <dd>Mandatory server certificate verification.
+Mail is delivered only if the TLS handshake succeeds, if the server
+certificate can be validated (not expired or revoked, and signed
+by a trusted certificate authority), and if the server certificate
+name matches the optional "match" attribute (or the <a href="postconf.5.html">main.cf</a>
+<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter value when no optional "match"
+attribute is specified). </dd>
+
+<dt><b>secure</b></dt> <dd>Secure-channel TLS. Mail is delivered
+only if the TLS handshake succeeds, if the server certificate can
+be validated (not expired or revoked, and signed by a trusted
+certificate authority), and if the server certificate name matches
+the optional "match" attribute (or the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a>
+parameter value when no optional "match" attribute is specified).
+</dd>
</dl>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The "match" attribute is especially useful to verify TLS
+certificates for domains that are hosted on a shared server. In
+that case, specify "match" rules for the shared server's name.
+While secure verification can also be achieved with manual routing
+overrides in Postfix <a href="transport.5.html">transport(5)</a> tables, that approach can deliver
+mail to the wrong host when domains are assigned to new gateway
+hosts. The "match" attribute approach avoids the problems of manual
+routing overrides; mail is deferred if verification of a new MX
+host fails. </p>
+
+<li> <p> When a policy table entry specifies multiple match patterns,
+multiple match strategies, or multiple protocols, these must be
+separated by colons. </p>
+
+</ul>
+
<p>
Example:
</p>
<blockquote>
<pre>
-<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/cacert.pem
-<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> =
- btree:/var/spool/postfix/smtp_tls_session_cache
-<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes
-<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /etc/postfix/cacert.pem
-<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/FOO-cert.pem
-<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/FOO-key.pem
-<a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> = yes
-<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> =
- btree:/var/spool/postfix/smtpd_tls_session_cache
-<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
-<a href="postconf.5.html#tls_random_source">tls_random_source</a> = dev:/dev/urandom
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/cacert.pem
+ <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> =
+ btree:/var/spool/postfix/smtp_tls_session_cache
+ <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes
+ <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /etc/postfix/cacert.pem
+ <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/FOO-cert.pem
+ <a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/FOO-key.pem
+ <a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> = yes
+ <a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> =
+ btree:/var/spool/postfix/smtpd_tls_session_cache
+ <a href="postconf.5.html#tls_random_source">tls_random_source</a> = dev:/dev/urandom
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
+ # Obsolete, but still supported
+ <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
</pre>
</blockquote>
<DT><b><a name="smtp_tls_security_level">smtp_tls_security_level</a>
(default: empty)</b></DT><DD>
-<p> The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. </p>
+<p> The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
+</p>
<p> Specify one of the following security levels: </p>
<DT><b><a name="smtpd_enforce_tls">smtpd_enforce_tls</a>
(default: no)</b></DT><DD>
-<p> Enforcement mode: announce STARTTLS support to SMTP clients,
+<p> Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption. According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a>
this MUST NOT be applied in case of a publicly-referenced SMTP
server. This option is off by default and should be used only on
dedicated servers. </p>
-<p> Note 1:
this mode implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
+<p> Note 1:
"<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes" implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
<p> Note 2: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
-<p> This feature is available in Postfix 2.2 and later. </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
</DD>
similar software, it will still insist on a server certificate. </p>
<p> For servers that are <b>not</b> public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This
-ensures that new Postfix configurations with just "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes"
-added, will not accidentally run with no certificates. </p>
+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. When both types
are present, the cipher used determines which certificate will be
<DT><b><a name="smtpd_tls_protocols">smtpd_tls_protocols</a>
(default: empty)</b></DT><DD>
-<p> The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive. </p>
+<p> The list of TLS protocols supported by the Postfix SMTP server.
+If the list is empty, the server supports all available TLS protocol
+versions. A non-empty value is a list of protocol names separated
+by whitespace, commas or colons. The supported protocol names are
+"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p>
-<p> DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail. </p>
+<p> DO NOT set this to a non-default value on an Internet MX host,
+as this may cause inter-operability problems. If you restrict the
+protocol list on an Internet MX host, you may lose mail. </p>
<p> Example: </p>
<p> This feature is available in Postfix 2.2 and later. </p>
+</DD>
+
+<DT><b><a name="smtpd_tls_security_level">smtpd_tls_security_level</a>
+(default: empty)</b></DT><DD>
+
+<p> The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. This parameter is ignored with
+"<a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> = yes". </p>
+
+<p> Specify one of the following security levels: </p>
+
+<dl>
+
+<dt><b>none</b></dt> <dd> TLS will not be used. </dd>
+
+<dt><b>may</b></dt> <dd> Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+</dd>
+
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers. </dd>
+
+</dl>
+
+<p> Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see <a href="TLS_README.html">TLS_README</a> for a discussion
+of the <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>, <a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>, and <a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a>
+features. </p>
+
+<p> Note 2: The parameter setting "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> =
+encrypt" implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes".</p>
+
+<p> Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.</p>
+
+
</DD>
<DT><b><a name="smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>
<DT><b><a name="smtpd_use_tls">smtpd_use_tls</a>
(default: no)</b></DT><DD>
-<p> Opportunistic mode: announce STARTTLS support to SMTP clients,
+<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption. </p>
<p> Note: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
-<p> This feature is available in Postfix 2.2 and later. </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
</DD>
found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
- The default SMTP TLS security level for all desti-
- nations; when a non-empty value is specified, this
- overrides the obsolete parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
- <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
+ The default SMTP TLS security level for the Postfix
+ SMTP client; when a non-empty value is specified,
+ this overrides the obsolete parameters
+ <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and
+ <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
- The SASL authentication security options that the
- Postfix SMTP client uses for TLS encrypted SMTP
+ The SASL authentication security options that the
+ Postfix SMTP client uses for TLS encrypted SMTP
sessions.
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
- Time limit for Postfix SMTP client write and read
- operations during TLS startup and shutdown hand-
+ Time limit for Postfix SMTP client write and read
+ operations during TLS startup and shutdown hand-
shake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
- The file with the certificate of the certification
- authority (CA) that issued the Postfix SMTP client
+ The file with the certificate of the certification
+ authority (CA) that issued the Postfix SMTP client
certificate.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
- Directory with PEM format certificate authority
- certificates that the Postfix SMTP client uses to
+ Directory with PEM format certificate authority
+ certificates that the Postfix SMTP client uses to
verify a remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
- File with the Postfix SMTP client RSA certificate
+ File with the Postfix SMTP client RSA certificate
in PEM format.
<b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
- The minimum SMTP client TLS cipher grade that is
- strong enough to be used with the "encrypt" secu-
+ The minimum SMTP client TLS cipher grade that is
+ strong enough to be used with the "encrypt" secu-
rity level and higher.
<b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
<b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
List of ciphers or cipher types to exclude from the
- SMTP client cipher list at the mandatory TLS secu-
+ SMTP client cipher list at the mandatory TLS secu-
rity levels: "encrypt", "verify" and "secure".
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
- File with the Postfix SMTP client DSA certificate
+ File with the Postfix SMTP client DSA certificate
in PEM format.
<b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
- File with the Postfix SMTP client DSA private key
+ File with the Postfix SMTP client DSA private key
in PEM format.
<b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
- File with the Postfix SMTP client RSA private key
+ File with the Postfix SMTP client RSA private key
in PEM format.
<b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
- Enable additional Postfix SMTP client logging of
+ Enable additional Postfix SMTP client logging of
TLS activity.
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
- Log the hostname of a remote SMTP server that
- offers STARTTLS, when TLS is not already enabled
+ Log the hostname of a remote SMTP server that
+ offers STARTTLS, when TLS is not already enabled
for that server.
<b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client
TLS security policy by next-hop destination; when a
- non-empty value is specified, this overrides the
+ non-empty value is specified, this overrides the
obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
<b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
- List of TLS protocol versions that are secure
+ List of TLS protocol versions that are secure
enough to be used with the "encrypt" security level
and higher.
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
- The verification depth for remote SMTP server cer-
+ The verification depth for remote SMTP server cer-
tificates.
<b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
for the "secure" TLS security level.
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
- Name of the file containing the optional Postfix
+ Name of the file containing the optional Postfix
SMTP client TLS session cache.
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
for the "verify" TLS security level.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
- The
number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
- or
<a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
- server in order to seed its internal pseudo random
+ The
number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
+ or
<a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
+ server in order to seed its internal pseudo random
number generator (PRNG).
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
ciphers.
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (!EXPORT:ALL:+RC4:@STRENGTH)</b>
- The OpenSSL cipherlist for "LOW" or higher grade
+ The OpenSSL cipherlist for "LOW" or higher grade
ciphers.
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
ciphers.
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (!aNULL:eNULL+kRSA)</b>
- The OpenSSL cipherlist for "NULL" grade ciphers
+ The OpenSSL cipherlist for "NULL" grade ciphers
that provide authentication without encryption.
Available in Postfix version 2.4 and later:
<b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
<b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
- The SASL authentication security options that the
- Postfix SMTP client uses for TLS encrypted SMTP
+ The SASL authentication security options that the
+ Postfix SMTP client uses for TLS encrypted SMTP
sessions with a verified server certificate.
<b>OBSOLETE STARTTLS CONTROLS</b>
- The following configuration parameters exist for compati-
+ The following configuration parameters exist for compati-
bility with Postfix versions before 2.3. Support for these
will be removed in a future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
- Opportunistic mode: use TLS when a remote SMTP
- server announces STARTTLS support, otherwise send
+ Opportunistic mode: use TLS when a remote SMTP
+ server announces STARTTLS support, otherwise send
the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
- Enforcement mode: require that remote SMTP servers
- use TLS encryption, and never send mail in the
+ Enforcement mode: require that remote SMTP servers
+ use TLS encryption, and never send mail in the
clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
- When TLS encryption is enforced, require that the
+ When TLS encryption is enforced, require that the
remote SMTP server hostname matches the information
in the remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client
- TLS usage policy by next-hop destination and by
+ TLS usage policy by next-hop destination and by
remote SMTP server hostname.
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
- The maximal number of parallel deliveries to the
- same destination via the smtp message delivery
+ The maximal number of parallel deliveries to the
+ same destination via the smtp message delivery
transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
- The maximal number of recipients per delivery via
+ The maximal number of recipients per delivery via
the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
- The SMTP client time limit for completing a TCP
+ The SMTP client time limit for completing a TCP
connection, or zero (use the operating system
built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
- The SMTP client time limit for sending the HELO or
- EHLO command, and for receiving the initial server
+ The SMTP client time limit for sending the HELO or
+ EHLO command, and for receiving the initial server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
- The LMTP client time limit for sending the LHLO
+ The LMTP client time limit for sending the LHLO
command, and for receiving the initial server
response.
command, and for receiving the server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
- The SMTP client time limit for sending the MAIL
- FROM command, and for receiving the server
+ The SMTP client time limit for sending the MAIL
+ FROM command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
- The SMTP client time limit for sending the SMTP
- RCPT TO command, and for receiving the server
+ The SMTP client time limit for sending the SMTP
+ RCPT TO command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
- The SMTP client time limit for sending the SMTP
- DATA command, and for receiving the server
+ The SMTP client time limit for sending the SMTP
+ DATA command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
- The SMTP client time limit for sending the SMTP
+ The SMTP client time limit for sending the SMTP
message content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
- The SMTP client time limit for sending the SMTP
+ The SMTP client time limit for sending the SMTP
".", and for receiving the server response.
<b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
- The SMTP client time limit for sending the QUIT
+ The SMTP client time limit for sending the QUIT
command, and for receiving the server response.
Available in Postfix version 2.1 and later:
lookups, or zero (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
- The maximal number of SMTP sessions per delivery
- request before giving up or delivering to a fall-
+ The maximal number of SMTP sessions per delivery
+ request before giving up or delivering to a fall-
back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
- The SMTP client time limit for sending the RSET
+ The SMTP client time limit for sending the RSET
command, and for receiving the server response.
Available in Postfix version 2.2 and earlier:
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
- Permanently enable SMTP connection caching for the
+ Permanently enable SMTP connection caching for the
specified destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
- Temporarily enable SMTP connection caching while a
+ Temporarily enable SMTP connection caching while a
destination has a high volume of mail in the active
queue.
<b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
When SMTP connection caching is enabled, the amount
- of time that an unused SMTP client socket is kept
+ of time that an unused SMTP client socket is kept
open before it is closed.
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
- Time limit for connection cache connect, send or
+ Time limit for connection cache connect, send or
receive operations.
<b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
- The increment in verbose logging level when a
- remote client or server matches a pattern in the
+ The increment in verbose logging level when a
+ remote client or server matches a pattern in the
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
- Optional list of remote client or server hostname
- or network address patterns that cause the verbose
- logging level to increase by the amount specified
+ Optional list of remote client or server hostname
+ or network address patterns that cause the verbose
+ logging level to increase by the amount specified
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications about
- mail delivery problems that are caused by policy,
+ The recipient of postmaster notifications about
+ mail delivery problems that are caused by policy,
resource, software or protocol errors.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
- The list of error classes that are reported to the
+ The list of error classes that are reported to the
postmaster.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
- Where the Postfix SMTP client should deliver mail
+ Where the Postfix SMTP client should deliver mail
when it detects a "mail loops back to myself" error
condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
- The maximal number of digits after the decimal
+ The maximal number of digits after the decimal
point when logging sub-second delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
- Disable DNS lookups in the Postfix SMTP and LMTP
+ Disable DNS lookups in the Postfix SMTP and LMTP
clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
tem receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
- The Internet protocols Postfix will attempt to use
+ The Internet protocols Postfix will attempt to use
when making or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
over an internal communication channel.
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
- The default TCP port that the Postfix LMTP client
+ The default TCP port that the Postfix LMTP client
connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for the next service request
+ The maximum amount of time that an idle Postfix
+ daemon process waits for the next service request
before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of connection requests before a
+ The maximal number of connection requests before a
Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail sys-
- tem receives mail on by way of a proxy or network
+ tem receives mail on by way of a proxy or network
address translation unit.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the SMTP
- client should bind to when making an IPv4 connec-
+ client should bind to when making an IPv4 connec-
tion.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the SMTP
- client should bind to when making an IPv6 connec-
+ client should bind to when making an IPv6 connec-
tion.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
- The hostname to send in the SMTP EHLO or HELO com-
+ The hostname to send in the SMTP EHLO or HELO com-
mand.
<b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The hostname to send in the LMTP LHLO command.
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
- What mechanisms when the SMTP client uses to look
+ What mechanisms when the SMTP client uses to look
up a host's IP address.
<b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
- Randomize the order of equal-preference MX host
+ Randomize the order of equal-preference MX host
addresses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
Available with Postfix 2.2 and earlier:
<b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
- Optional list of relay hosts for SMTP destinations
+ Optional list of relay hosts for SMTP destinations
that can't be found or that are unreachable.
Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
- Optional list of relay hosts for SMTP destinations
+ Optional list of relay hosts for SMTP destinations
that can't be found or that are unreachable.
<b>SEE ALSO</b>
<a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
- Opportunistic mode: announce STARTTLS support to
+ Opportunistic TLS: announce STARTTLS support to
SMTP clients, but do not require that clients use
TLS encryption.
<b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
- Enforcement mode: announce STARTTLS support to SMTP
+ Mandatory TLS: announce STARTTLS support to SMTP
clients, and require that clients use TLS encryp-
tion.
TLS activity.
<b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b>
- The list of TLS protocols supported by the server.
+ The list of TLS protocols supported by the Postfix
+ SMTP server.
<b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
Request that the Postfix SMTP server produces
server in order to seed its internal pseudo random
number generator (PRNG).
+ Available in Postfix version 2.3 and later:
+
+ <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
+ The SMTP TLS security level for the Postfix SMTP
+ server; when a non-empty value is specified, this
+ overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and
+ <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
+
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
<b>(!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)</b>
The OpenSSL cipherlist for "HIGH" grade ciphers.
ciphers.
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (!EXPORT:ALL:+RC4:@STRENGTH)</b>
- The OpenSSL cipherlist for "LOW" or higher grade
+ The OpenSSL cipherlist for "LOW" or higher grade
ciphers.
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
ciphers.
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (!aNULL:eNULL+kRSA)</b>
- The OpenSSL cipherlist for "NULL" grade ciphers
+ The OpenSSL cipherlist for "NULL" grade ciphers
that provide authentication without encryption.
<b>VERP SUPPORT CONTROLS</b>
- With VERP style delivery, each recipient of a message
+ With VERP style delivery, each recipient of a message
receives a customized copy of the message with his/her own
- recipient address encoded in the envelope sender address.
+ recipient address encoded in the envelope sender address.
The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
- details of Postfix support for variable envelope return
+ details of Postfix support for variable envelope return
path addresses. VERP style delivery is requested with the
- SMTP XVERP command or with the "sendmail -V" command-line
- option and is available in Postfix version 1.1 and later.
+ SMTP XVERP command or with the "sendmail -V" command-line
+ option and is available in Postfix version 1.1 and later.
<b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
The two default VERP delimiter characters.
<b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
- The characters Postfix accepts as VERP delimiter
- characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
+ The characters Postfix accepts as VERP delimiter
+ characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
and in SMTP commands.
Available in Postfix version 1.1 and 2.0:
<b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
- What SMTP clients are allowed to specify the XVERP
+ What SMTP clients are allowed to specify the XVERP
command.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b>
- What SMTP clients are allowed to specify the XVERP
+ What SMTP clients are allowed to specify the XVERP
command.
<b>TROUBLE SHOOTING CONTROLS</b>
- The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
- the Postfix mail system. The methods vary from making the
- software log a lot of detail, to running some daemon pro-
+ The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
+ the Postfix mail system. The methods vary from making the
+ software log a lot of detail, to running some daemon pro-
cesses under control of a call tracer or debugger.
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
- The increment in verbose logging level when a
- remote client or server matches a pattern in the
+ The increment in verbose logging level when a
+ remote client or server matches a pattern in the
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
- Optional list of remote client or server hostname
- or network address patterns that cause the verbose
- logging level to increase by the amount specified
+ Optional list of remote client or server hostname
+ or network address patterns that cause the verbose
+ logging level to increase by the amount specified
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications about
- mail delivery problems that are caused by policy,
+ The recipient of postmaster notifications about
+ mail delivery problems that are caused by policy,
resource, software or protocol errors.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
- The list of error classes that are reported to the
+ The list of error classes that are reported to the
postmaster.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b>
- What SMTP clients are allowed to use the XCLIENT
+ What SMTP clients are allowed to use the XCLIENT
feature.
<b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b>
- As of Postfix version 2.0, the SMTP server rejects mail
- for unknown recipients. This prevents the mail queue from
- clogging up with undeliverable MAILER-DAEMON messages.
- Additional information on this topic is in the
+ As of Postfix version 2.0, the SMTP server rejects mail
+ for unknown recipients. This prevents the mail queue from
+ clogging up with undeliverable MAILER-DAEMON messages.
+ Additional information on this topic is in the
<a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents.
<b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
- Display the name of the recipient table in the
+ Display the name of the recipient table in the
"User unknown" responses.
<b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b>
- Optional address mapping lookup tables for message
+ Optional address mapping lookup tables for message
headers and envelopes.
<b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b>
<b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, local-</b>
<b>host)</b>
- The list of domains that are delivered via the
+ The list of domains that are delivered via the
$<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail sys-
- tem receives mail on by way of a proxy or network
+ tem receives mail on by way of a proxy or network
address translation unit.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
- The Internet protocols Postfix will attempt to use
+ The Internet protocols Postfix will attempt to use
when making or accepting connections.
<b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b>
<b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b>
- Lookup tables with all names or addresses of local
- recipients: a recipient address is local when its
- domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
+ Lookup tables with all names or addresses of local
+ recipients: a recipient address is local when its
+ domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
<b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b>
- The numerical Postfix SMTP server response code
- when a recipient address is local, and
- $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup
+ The numerical Postfix SMTP server response code
+ when a recipient address is local, and
+ $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup
tables that does not match the recipient.
- Parameters concerning known/unknown recipients of relay
+ Parameters concerning known/unknown recipients of relay
destinations:
<b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b>
- What destination domains (and subdomains thereof)
+ What destination domains (and subdomains thereof)
this system will relay mail to.
<b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b>
- Optional lookup tables with all valid addresses in
+ Optional lookup tables with all valid addresses in
the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>.
<b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b>
The numerical Postfix SMTP server reply code when a
- recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and
- <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup
+ recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and
+ <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup
tables that does not match the recipient address.
- Parameters concerning known/unknown recipients in virtual
+ Parameters concerning known/unknown recipients in virtual
alias domains:
<b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b>
Postfix is final destination for the specified list
- of virtual alias domains, that is, domains for
- which all addresses are aliased to addresses in
+ of virtual alias domains, that is, domains for
+ which all addresses are aliased to addresses in
other local or remote domains.
<b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
- Optional lookup tables that alias specific mail
- addresses or domains to other local or remote
+ Optional lookup tables that alias specific mail
+ addresses or domains to other local or remote
address.
<b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b>
The SMTP server reply code when a recipient address
- matches
$<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
- <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables
+ matches
$<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
+ <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables
that does not match the recipient address.
- Parameters concerning known/unknown recipients in virtual
+ Parameters concerning known/unknown recipients in virtual
mailbox domains:
<b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b>
Postfix is final destination for the specified list
- of
domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>-
+ of
domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>-
<a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport.
<b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b>
- Optional lookup tables with all valid addresses in
+ Optional lookup tables with all valid addresses in
the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
<b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b>
The SMTP server reply code when a recipient address
- matches
$<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
+ matches
$<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
<a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables
that does not match the recipient address.
<b>RESOURCE AND RATE CONTROLS</b>
- The following parameters limit resource usage by the SMTP
+ The following parameters limit resource usage by the SMTP
server and/or control client request rates.
<b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
- Upon input, long lines are chopped up into pieces
- of at most this length; upon delivery, long lines
+ Upon input, long lines are chopped up into pieces
+ of at most this length; upon delivery, long lines
are reconstructed.
<b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b>
- The minimal amount of free space in bytes in the
+ The minimal amount of free space in bytes in the
queue file system that is needed to receive mail.
<b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b>
- The maximal size in bytes of a message, including
+ The maximal size in bytes of a message, including
envelope information.
<b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b>
- The maximal number of recipients that the Postfix
+ The maximal number of recipients that the Postfix
SMTP server accepts per message delivery request.
<b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (300s)</b>
- The time limit for sending a Postfix SMTP server
- response and for receiving a remote SMTP client
+ The time limit for sending a Postfix SMTP server
+ response and for receiving a remote SMTP client
request.
<b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b>
- The maximal number of lines in the Postfix SMTP
- server command history before it is flushed upon
+ The maximal number of lines in the Postfix SMTP
+ server command history before it is flushed upon
receipt of EHLO, RSET, or end of DATA.
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b>
- Attempt to look up the SMTP client hostname, and
+ Attempt to look up the SMTP client hostname, and
verify that the name matches the client IP address.
The per SMTP client connection count and request rate lim-
its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser-
- vice, and are available in Postfix version 2.2 and later.
+ vice, and are available in Postfix version 2.2 and later.
<b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b>
- How many simultaneous connections any client is
+ How many simultaneous connections any client is
allowed to make to this service.
<b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b>
The maximal number of connection attempts any
- client is allowed to make to this service per time
+ client is allowed to make to this service per time
unit.
<b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b>
- The maximal number of message delivery requests
- that any client is allowed to make to this service
+ The maximal number of message delivery requests
+ that any client is allowed to make to this service
per time unit, regardless of whether or not Postfix
actually accepts those messages.
<b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b>
- The maximal number of recipient addresses that any
- client is allowed to send to this service per time
+ The maximal number of recipient addresses that any
+ client is allowed to send to this service per time
unit, regardless of whether or not Postfix actually
accepts those recipients.
<b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
- Clients that are excluded from connection count,
+ Clients that are excluded from connection count,
connection rate, or SMTP request rate restrictions.
Available in Postfix version 2.3 and later:
tiate with this service per time unit.
<b>TARPIT CONTROLS</b>
- When a remote SMTP client makes errors, the Postfix SMTP
- server can insert delays before responding. This can help
- to slow down run-away software. The behavior is con-
- trolled by an error counter that counts the number of
- errors within an SMTP session that a client makes without
+ When a remote SMTP client makes errors, the Postfix SMTP
+ server can insert delays before responding. This can help
+ to slow down run-away software. The behavior is con-
+ trolled by an error counter that counts the number of
+ errors within an SMTP session that a client makes without
delivering mail.
<b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b>
With Postfix version 2.1 and later: the SMTP server
- response delay after a client has made more than
- $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and fewer than
- $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering
+ response delay after a client has made more than
+ $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and fewer than
+ $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering
mail.
<b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b>
- The number of errors a remote SMTP client is
- allowed to make without delivering mail before the
+ The number of errors a remote SMTP client is
+ allowed to make without delivering mail before the
Postfix SMTP server slows down all its responses.
<b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (20)</b>
- The maximal number of errors a remote SMTP client
+ The maximal number of errors a remote SMTP client
is allowed to make without delivering mail.
<b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (100)</b>
- The number of junk commands (NOOP, VRFY, ETRN or
+ The number of junk commands (NOOP, VRFY, ETRN or
RSET) that a remote SMTP client can send before the
- Postfix SMTP server starts to increment the error
+ Postfix SMTP server starts to increment the error
counter with each junk command.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b>
- The number of recipients that a remote SMTP client
- can send in excess of the limit specified with
+ The number of recipients that a remote SMTP client
+ can send in excess of the limit specified with
$<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>, before the Postfix SMTP
- server increments the per-session error count for
+ server increments the per-session error count for
each excess recipient.
<b>ACCESS POLICY DELEGATION CONTROLS</b>
- As of version 2.1, Postfix can be configured to delegate
- access policy decisions to an external server that runs
- outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for
+ As of version 2.1, Postfix can be configured to delegate
+ access policy decisions to an external server that runs
+ outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for
more information.
<b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b>
- The time after which an idle SMTPD policy service
+ The time after which an idle SMTPD policy service
connection is closed.
<b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b>
connection is closed.
<b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b>
- The time limit for connecting to, writing to or
+ The time limit for connecting to, writing to or
receiving from a delegated SMTPD policy server.
<b>ACCESS CONTROLS</b>
- The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to
+ The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to
all the SMTP server access control features.
<b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b>
- Wait until the RCPT TO command before evaluating
+ Wait until the RCPT TO command before evaluating
$<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, $smtpd_helo_restric-
tions and $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until
- the ETRN command before evaluating
+ the ETRN command before evaluating
$<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $smtpd_helo_restric-
tions.
- <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b>
+ <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b>
<b>put)</b>
What Postfix features match subdomains of
"domain.tld" automatically, instead of requiring an
explicit ".domain.tld" pattern.
<b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b>
- Optional SMTP server access restrictions in the
+ Optional SMTP server access restrictions in the
context of a client SMTP connection request.
<b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b>
Require that a remote SMTP client introduces itself
- at the beginning of an SMTP session with the HELO
+ at the beginning of an SMTP session with the HELO
or EHLO command.
<b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b>
- Optional restrictions that the Postfix SMTP server
+ Optional restrictions that the Postfix SMTP server
applies in the context of the SMTP HELO command.
<b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b>
- Optional restrictions that the Postfix SMTP server
+ Optional restrictions that the Postfix SMTP server
applies in the context of the MAIL FROM command.
<b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b>
<b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b>
The access restrictions that the Postfix SMTP
- server applies in the context of the RCPT TO com-
+ server applies in the context of the RCPT TO com-
mand.
<b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b>
- Optional SMTP server access restrictions in the
+ Optional SMTP server access restrictions in the
context of a client ETRN request.
<b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b>
- Forward mail with sender-specified routing
- (user[@%!]remote[@%!]site) from untrusted clients
+ Forward mail with sender-specified routing
+ (user[@%!]remote[@%!]site) from untrusted clients
to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
<b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b>
- User-defined aliases for groups of access restric-
+ User-defined aliases for groups of access restric-
tions.
<b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b><><b>)</b>
- The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
+ The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
instead of the null sender address.
<b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b>
Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP
- access feature to only domains whose primary MX
+ access feature to only domains whose primary MX
hosts match the listed networks.
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> (empty)</b>
- Optional access restrictions that the Postfix SMTP
+ Optional access restrictions that the Postfix SMTP
server applies in the context of the SMTP DATA com-
mand.
<b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b>
- What characters are allowed in $name expansions of
+ What characters are allowed in $name expansions of
RBL reply templates.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
- Request that the Postfix SMTP server rejects mail
- from unknown sender addresses, even when no
- explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
+ Request that the Postfix SMTP server rejects mail
+ from unknown sender addresses, even when no
+ explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
is specified.
<b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b>
- Request that the Postfix SMTP server rejects mail
+ Request that the Postfix SMTP server rejects mail
for unknown recipient addresses, even when no
- explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
+ explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
tion is specified.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> (empty)</b>
- Optional access restrictions that the Postfix SMTP
- server applies in the context of the SMTP END-OF-
+ Optional access restrictions that the Postfix SMTP
+ server applies in the context of the SMTP END-OF-
DATA command.
<b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b>
- Postfix version 2.1 introduces sender and recipient
- address verification. This feature is implemented by
- sending probe email messages that are not actually deliv-
- ered.
This feature is requested via the <a href="postconf.5.html#reject_unverified_sender">reject_unveri</a>-
- <a href="postconf.5.html#reject_unverified_sender">fied_sender</a> and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access
- restrictions. The status of verification probes is main-
+ Postfix version 2.1 introduces sender and recipient
+ address verification. This feature is implemented by
+ sending probe email messages that are not actually deliv-
+ ered.
This feature is requested via the <a href="postconf.5.html#reject_unverified_sender">reject_unveri</a>-
+ <a href="postconf.5.html#reject_unverified_sender">fied_sender</a> and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access
+ restrictions. The status of verification probes is main-
tained by the <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VER</a>-
- <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about how to configure
+ <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about how to configure
and operate the Postfix sender/recipient address verifica-
tion service.
<b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (3)</b>
- How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
- the completion of an address verification request
+ How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
+ the completion of an address verification request
in progress.
<b><a href="postconf.5.html#address_verify_poll_delay">address_verify_poll_delay</a> (3s)</b>
- The delay between queries for the completion of an
+ The delay between queries for the completion of an
address verification request in progress.
<b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> (postmaster)</b>
- The sender address to use in address verification
+ The sender address to use in address verification
probes.
<b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when a recipient address is rejected by the
+ The numerical Postfix SMTP server response code
+ when a recipient address is rejected by the
<a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction.
<b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response when a
+ The numerical Postfix SMTP server response when a
recipient address is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unveri</a>-
<a href="postconf.5.html#reject_unverified_recipient">fied_recipient</a> restriction.
<b>ACCESS CONTROL RESPONSES</b>
- The following parameters control numerical SMTP reply
+ The following parameters control numerical SMTP reply
codes and/or text responses.
<b><a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code
- when a client is rejected by an <a href="access.5.html"><b>access</b>(5)</a> map
+ The numerical Postfix SMTP server response code
+ when a client is rejected by an <a href="access.5.html"><b>access</b>(5)</a> map
restriction.
<b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when a remote SMTP client request is rejected by
+ The numerical Postfix SMTP server response code
+ when a remote SMTP client request is rejected by
the "defer" restriction.
<b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b>
- The numerical Postfix SMTP server response code
- when the client HELO or EHLO command parameter is
- rejected
by the <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a>
+ The numerical Postfix SMTP server response code
+ when the client HELO or EHLO command parameter is
+ rejected
by the <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a>
restriction.
<b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code
+ The numerical Postfix SMTP server response code
when a remote SMTP client request is blocked by the
<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>,
<a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a>
<b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b>
The numerical Postfix SMTP server reply code when a
- client request is rejected by the
+ client request is rejected by the
<a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>,
<a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a>
restriction.
<b><a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when a request is rejected by the <b>reject_plain-</b>
+ The numerical Postfix SMTP server response code
+ when a request is rejected by the <b>reject_plain-</b>
<b>text_session</b> restriction.
<b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code
- when a remote SMTP client request is rejected by
+ The numerical Postfix SMTP server response code
+ when a remote SMTP client request is rejected by
the "reject" restriction.
<b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code
- when a client request is rejected by the
+ The numerical Postfix SMTP server response code
+ when a client request is rejected by the
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient restriction.
<b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when a sender or recipient address is rejected by
+ The numerical Postfix SMTP server response code
+ when a sender or recipient address is rejected by
the <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or
<a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> restriction.
<b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when a client without valid address <=> name map-
+ The numerical Postfix SMTP server response code
+ when a client without valid address <=> name map-
ping is rejected by the reject_unknown_client_host-
name restriction.
<b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when the hostname specified with the HELO or EHLO
- command is rejected by the
+ The numerical Postfix SMTP server response code
+ when the hostname specified with the HELO or EHLO
+ command is rejected by the
<a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction.
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b>
- The default SMTP server response template for a
- request that is rejected by an RBL-based restric-
+ The default SMTP server response template for a
+ request that is rejected by an RBL-based restric-
tion.
<b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b>
- The numerical Postfix SMTP server response code
+ The numerical Postfix SMTP server response code
when a remote SMTP client request is blocked by the
<a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipient_bounce</a> restriction.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
- The location of all postfix administrative com-
+ The location of all postfix administrative com-
mands.
<b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
and most Postfix daemon processes.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for the next service request
+ The maximum amount of time that an idle Postfix
+ daemon process waits for the next service request
before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of connection requests before a
+ The maximal number of connection requests before a
Postfix daemon process terminates.
<b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
The internet hostname of this mail system.
<b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b>
- The list of "trusted" SMTP clients that have more
+ The list of "trusted" SMTP clients that have more
privileges than "strangers".
<b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The domain name that locally-posted mail appears to
- come from, and that locally posted mail is deliv-
+ come from, and that locally posted mail is deliv-
ered to.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
sions (user+foo).
<b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
- The text that follows the 220 status code in the
+ The text that follows the 220 status code in the
SMTP greeting banner.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b>
- List of commands that causes the Postfix SMTP
- server to immediately terminate the session with a
+ List of commands that causes the Postfix SMTP
+ server to immediately terminate the session with a
221 code.
<b>SEE ALSO</b>
<a href="XFORWARD_README.html">XFORWARD_README</a>, Postfix XFORWARD extension
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_security_level (default: empty)
-The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
.PP
Specify one of the following security levels:
.IP "\fBnone\fR"
.PP
See smtpd_data_restrictions for syntax details.
.SH smtpd_enforce_tls (default: no)
-Enforcement mode: announce STARTTLS support to SMTP clients,
+Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption. According to RFC 2487
this MUST NOT be applied in case of a publicly-referenced SMTP
server. This option is off by default and should be used only on
dedicated servers.
.PP
-Note 1: this mode implies "smtpd_tls_auth_only = yes".
+Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
.PP
Note 2: when invoked via "\fBsendmail -bs\fR", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior.
.PP
-This feature is available in Postfix 2.2 and later.
+This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead.
.SH smtpd_error_sleep_time (default: 1s)
With Postfix version 2.1 and later: the SMTP server response delay after
a client has made more than $smtpd_soft_error_limit errors, and
similar software, it will still insist on a server certificate.
.PP
For servers that are \fBnot\fR public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "smtpd_tls_cert_file = none". This
-ensures that new Postfix configurations with just "smtpd_use_tls = yes"
-added, will not accidentally run with no certificates.
+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates.
.PP
Both RSA and DSA certificates are supported. When both types
are present, the cipher used determines which certificate will be
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_protocols (default: empty)
-The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive.
-.PP
-DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail.
+The list of TLS protocols supported by the Postfix SMTP server.
+If the list is empty, the server supports all available TLS protocol
+versions. A non-empty value is a list of protocol names separated
+by whitespace, commas or colons. The supported protocol names are
+"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
+.PP
+DO NOT set this to a non-default value on an Internet MX host,
+as this may cause inter-operability problems. If you restrict the
+protocol list on an Internet MX host, you may lose mail.
.PP
Example:
.PP
a warning written to the mail log.
.PP
This feature is available in Postfix 2.2 and later.
+.SH smtpd_tls_security_level (default: empty)
+The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
+"smtpd_tls_wrappermode = yes".
+.PP
+Specify one of the following security levels:
+.IP "\fBnone\fR"
+TLS will not be used.
+.IP "\fBmay\fR"
+Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+.IP "\fBencrypt\fR"
+Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers.
+.PP
+Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see TLS_README for a discussion
+of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
+features.
+.PP
+Note 2: The parameter setting "smtpd_tls_security_level =
+encrypt" implies "smtpd_tls_auth_only = yes".
+.PP
+Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.
.SH smtpd_tls_session_cache_database (default: empty)
Name of the file containing the optional Postfix SMTP server
TLS session cache. Specify a database type that supports enumeration,
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_use_tls (default: no)
-Opportunistic mode: announce STARTTLS support to SMTP clients,
+Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption.
.PP
Note: when invoked via "\fBsendmail -bs\fR", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior.
.PP
-This feature is available in Postfix 2.2 and later.
+This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead.
.SH soft_bounce (default: no)
Safety net to keep mail queued that would otherwise be returned to
the sender. This parameter disables locally-generated bounces,
Detailed information about STARTTLS configuration may be found
in the TLS_README document.
.IP "\fBsmtp_tls_security_level (empty)\fR"
-The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
.IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions.
Detailed information about STARTTLS configuration may be
found in the TLS_README document.
.IP "\fBsmtpd_use_tls (no)\fR"
-Opportunistic mode: announce STARTTLS support to SMTP clients,
+Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption.
.IP "\fBsmtpd_enforce_tls (no)\fR"
-Enforcement mode: announce STARTTLS support to SMTP clients,
+Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption.
.IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
The SASL authentication security options that the Postfix SMTP
.IP "\fBsmtpd_tls_loglevel (0)\fR"
Enable additional Postfix SMTP server logging of TLS activity.
.IP "\fBsmtpd_tls_protocols (empty)\fR"
-The list of TLS protocols supported by the server.
+The list of TLS protocols supported by the Postfix SMTP server.
.IP "\fBsmtpd_tls_received_header (no)\fR"
Request that the Postfix SMTP server produces Received: message
headers that include information about the protocol and cipher used,
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
internal pseudo random number generator (PRNG).
+.PP
+Available in Postfix version 2.3 and later:
+.IP "\fBsmtpd_tls_security_level (empty)\fR"
+The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls.
.IP "\fBtls_high_cipherlist (!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)\fR"
The OpenSSL cipherlist for "HIGH" grade ciphers.
.IP "\fBtls_medium_cipherlist (!EXPORT:!LOW:ALL:+RC4:@STRENGTH)\fR"
s;\bsmtpd_tls_dh512_param_file\b;<a href="postconf.5.html#smtpd_tls_dh512_param_file">$&</a>;g;
s;\bsmtpd_tls_dkey_file\b;<a href="postconf.5.html#smtpd_tls_dkey_file">$&</a>;g;
s;\bsmtpd_tls_key_file\b;<a href="postconf.5.html#smtpd_tls_key_file">$&</a>;g;
+ s;\bsmtpd_tls_security_level\b;<a href="postconf.5.html#smtpd_tls_security_level">$&</a>;g;
s;\bsmtpd_tls_loglevel\b;<a href="postconf.5.html#smtpd_tls_loglevel">$&</a>;g;
s;\bsmtpd_tls_protocols\b;<a href="postconf.5.html#smtpd_tls_protocols">$&</a>;g;
s;\bsmtpd_tls_received_header\b;<a href="postconf.5.html#smtpd_tls_received_header">$&</a>;g;
OSF1.V3 - OSF1.V5 (Digital UNIX) <br>
Reliant UNIX 5.x <br>
Rhapsody 5.x <br>
-SunOS 4.1.4 (December 2005) <br>
+SunOS 4.1.4 (July 2006) <br>
SunOS 5.4 - 5.9 (Solaris 2.4..9) <br>
Ultrix 4.x (well, that was long ago) <br>
</p>
accidental configurations with no certificates, Postfix 2.3 enables
certificate-less operation only when the administrator explicitly sets
"smtpd_tls_cert_file = none". This ensures that new Postfix
-configurations with just "smtpd_use_tls = yes" added, will
-not accidentally run with no certificates. </p>
+configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. Typically you will
only have RSA certificates issued by a commercial CA. In addition,
<p> By default, TLS is disabled in the Postfix SMTP server, so no
difference to plain Postfix is visible. Explicitly switch it on
-using "smtpd_use_tls = yes". </p>
+with "smtpd_tls_security_level = may" (Postfix 2.3 and
+later) or "smtpd_use_tls = yes" (obsolete but still
+supported). </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
smtpd_use_tls = yes
</pre>
</blockquote>
is never offered due to insufficient privileges to access the server
private key. This is intended behavior. </p>
-<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>, so that
-the Postfix SMTP server announces STARTTLS and accepts no mail without
-TLS encryption, by setting "smtpd_enforce_tls = yes". According
-to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
-Postfix SMTP server. This option is off by default and should only
-seldom be used. </p>
+<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>,
+so that the Postfix SMTP server announces STARTTLS and accepts no
+mail without TLS encryption, by setting
+"smtpd_tls_security_level = encrypt" (Postfix 2.3 and
+later) or "smtpd_enforce_tls = yes" (obsolete but still
+supported). According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced Postfix SMTP server. This option is off
+by default and should only seldom be used. </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
smtpd_enforce_tls = yes
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
+ smtpd_use_tls = yes
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtpd_enforce_tls = yes
smtpd_tls_req_ccert = yes
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
+ smtpd_enforce_tls = yes
</pre>
</blockquote>
<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
-<p> Sending AUTH data over an unencrypted channel poses a security risk.
-When TLS layer encryption is required (smtpd_enforce_tls = yes),
-the Postfix SMTP server will announce and accept AUTH only
-after the TLS layer has been activated with STARTTLS. When TLS
-layer encryption is optional (smtpd_enforce_tls = no), it may
-however still be useful to only offer AUTH when TLS is active. To
-maintain compatibility with non-TLS clients, the default is to
-accept AUTH without encryption. In order to change this behavior,
-set "smtpd_tls_auth_only = yes". </p>
+<p> Sending AUTH data over an unencrypted channel poses a security
+risk. When TLS layer encryption is required
+("smtpd_tls_security_level = encrypt" or the obsolete
+"smtpd_enforce_tls = yes"), the Postfix SMTP server will
+announce and accept AUTH only after the TLS layer has been activated
+with STARTTLS. When TLS layer encryption is optional
+("smtpd_tls_security_level = may" or the obsolete
+"smtpd_enforce_tls = no"), it may however still be useful
+to only offer AUTH when TLS is active. To maintain compatibility
+with non-TLS clients, the default is to accept AUTH without encryption.
+In order to change this behavior, set
+"smtpd_tls_auth_only = yes". </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtpd_use_tls = yes
- smtpd_enforce_tls = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, MD5
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
+ smtpd_enforce_tls = yes
</pre>
</blockquote>
<p> At the "encrypt" TLS security level, messages are sent only
over TLS encrypted sessions. The SMTP transaction is aborted unless
-the STARTTLS ESMTP feature is supported by the server. If no
-suitable servers are found, the message will be deferred. With Postfix
-2.3 and later, mandatory TLS encryption can be configured by setting
-"smtp_tls_security_level = encrypt". Even though TLS encryption
-is always used, mail delivery continues if the server certificate is
-untrusted or bears the wrong name. </p>
+the STARTTLS ESMTP feature is supported by the server. If no suitable
+servers are found, the message will be deferred. With Postfix 2.3
+and later, mandatory TLS encryption can be configured by setting
+"smtp_tls_security_level = encrypt". Even though TLS
+encryption is always used, mail delivery continues if the server
+certificate is untrusted or bears the wrong name. </p>
<p> At this security level and higher, the smtp_tls_mandatory_protocols
and smtp_tls_mandatory_ciphers configuration parameters determine
<h3><a name="client_tls_verify"> Mandatory server certificate verification </a>
</h3>
-<p> At the "verify" TLS security level, messages are sent only
-over TLS encrypted sessions for which server certificate verification
-succeeds. If no suitable servers are found, the message will be
-deferred. With Postfix 2.3 and later, mandatory server certificate
-verification can be configured by setting
-"smtp_tls_security_level = verify", the
+<p> At the "verify" TLS security level, messages are sent only over
+TLS encrypted sessions if the server certificate is valid (not
+expired or revoked, and signed by a trusted certificate authority)
+and if the server certificate name matches a known pattern. Mandatory
+server certificate verification can be configured by setting
+"smtp_tls_security_level = verify". The
smtp_tls_verify_cert_match parameter can override the default
-"hostname" certificate match strategy. Fine-tuning the matching
-strategy is generally only appropriate for <a
+"hostname" certificate name matching strategy. Fine-tuning the
+
matching strategy is generally only appropriate for <a
href="#client_tls_secure">secure-channel</a> destinations. </p>
<p> With Postfix 2.2 and earlier, or when smtp_tls_security_level
<dd>Opportunistic TLS. No additional attributes are supported at this
level. </dd>
-<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. At this level and
-higher the optional "ciphers" attribute overrides the main.cf
-smtp_tls_mandatory_ciphers parameter and the optional "protocols"
-keyword overrides the main.cf smtp_tls_mandatory_protocols parameter.
-In the policy table, multiple protocols must be separated by colons,
-as attribute values may not contain whitespace or commas.</dd>
-
-<dt><b>verify</b></dt>
-<dd>Mandatory server certificate verification. The optional "match"
-attribute overrides the main.cf smtp_tls_verify_cert_match parameter.
-In the policy table, multiple match patterns and strategies must
-be separated by colons. </dd>
-
-<dt><b>secure</b></dt> <dd>Secure-channel TLS. The optional "match"
-attribute overrides the main.cf smtp_tls_secure_cert_match parameter. In
-the policy table, multiple match patterns and strategies must be separated
-by colons. The match attribute is useful when additional domains are
-supported by common server, the policy entries for the additional domains
-specify matching rules for the primary domain certificate. While transport
-table overrides routing secondary domains to the primary nexthop also
-allow secure verification, they risk delivery to the wrong destination
-when domains change hands or are re-assigned to new gateways. With the
-"match" attribute approach, routing is not perturbed, and mail is deferred
-if verification of a new MX host fails. </dd>
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. Mail is
+delivered only if remote SMTP server offers STARTTLS and the TLS
+handshake succeeds. At this level and higher the optional "ciphers"
+attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter
+and the optional "protocols" keyword overrides the main.cf
+smtp_tls_mandatory_protocols parameter. </dd>
+
+<dt><b>verify</b></dt> <dd>Mandatory server certificate verification.
+Mail is delivered only if the TLS handshake succeeds, if the server
+certificate can be validated (not expired or revoked, and signed
+by a trusted certificate authority), and if the server certificate
+name matches the optional "match" attribute (or the main.cf
+smtp_tls_verify_cert_match parameter value when no optional "match"
+attribute is specified). </dd>
+
+<dt><b>secure</b></dt> <dd>Secure-channel TLS. Mail is delivered
+only if the TLS handshake succeeds, if the server certificate can
+be validated (not expired or revoked, and signed by a trusted
+certificate authority), and if the server certificate name matches
+the optional "match" attribute (or the main.cf smtp_tls_secure_cert_match
+parameter value when no optional "match" attribute is specified).
+</dd>
</dl>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The "match" attribute is especially useful to verify TLS
+certificates for domains that are hosted on a shared server. In
+that case, specify "match" rules for the shared server's name.
+While secure verification can also be achieved with manual routing
+overrides in Postfix transport(5) tables, that approach can deliver
+mail to the wrong host when domains are assigned to new gateway
+hosts. The "match" attribute approach avoids the problems of manual
+routing overrides; mail is deferred if verification of a new MX
+host fails. </p>
+
+<li> <p> When a policy table entry specifies multiple match patterns,
+multiple match strategies, or multiple protocols, these must be
+separated by colons. </p>
+
+</ul>
+
<p>
Example:
</p>
<blockquote>
<pre>
-smtp_tls_CAfile = /etc/postfix/cacert.pem
-smtp_tls_session_cache_database =
- btree:/var/spool/postfix/smtp_tls_session_cache
-smtp_use_tls = yes
-smtpd_tls_CAfile = /etc/postfix/cacert.pem
-smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
-smtpd_tls_key_file = /etc/postfix/FOO-key.pem
-smtpd_tls_received_header = yes
-smtpd_tls_session_cache_database =
- btree:/var/spool/postfix/smtpd_tls_session_cache
-smtpd_use_tls = yes
-tls_random_source = dev:/dev/urandom
+/etc/postfix/main.cf:
+ smtp_tls_CAfile = /etc/postfix/cacert.pem
+ smtp_tls_session_cache_database =
+ btree:/var/spool/postfix/smtp_tls_session_cache
+ smtp_use_tls = yes
+ smtpd_tls_CAfile = /etc/postfix/cacert.pem
+ smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
+ smtpd_tls_key_file = /etc/postfix/FOO-key.pem
+ smtpd_tls_received_header = yes
+ smtpd_tls_session_cache_database =
+ btree:/var/spool/postfix/smtpd_tls_session_cache
+ tls_random_source = dev:/dev/urandom
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
+ smtpd_use_tls = yes
</pre>
</blockquote>
similar software, it will still insist on a server certificate. </p>
<p> For servers that are <b>not</b> public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "smtpd_tls_cert_file = none". This
-ensures that new Postfix configurations with just "smtpd_use_tls = yes"
-added, will not accidentally run with no certificates. </p>
+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. When both types
are present, the cipher used determines which certificate will be
%PARAM smtpd_use_tls no
-<p> Opportunistic mode: announce STARTTLS support to SMTP clients,
+<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption. </p>
<p> Note: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
-<p> This feature is available in Postfix 2.2 and later. </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead. </p>
%PARAM smtpd_enforce_tls no
-<p> Enforcement mode: announce STARTTLS support to SMTP clients,
+<p> Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption. According to RFC 2487
this MUST NOT be applied in case of a publicly-referenced SMTP
server. This option is off by default and should be used only on
dedicated servers. </p>
-<p> Note 1: this mode implies "smtpd_tls_auth_only = yes". </p>
+<p> Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes". </p>
<p> Note 2: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
-<p> This feature is available in Postfix 2.2 and later. </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead. </p>
%PARAM smtpd_tls_wrappermode no
%PARAM smtpd_tls_protocols
-<p> The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive. </p>
+<p> The list of TLS protocols supported by the Postfix SMTP server.
+If the list is empty, the server supports all available TLS protocol
+versions. A non-empty value is a list of protocol names separated
+by whitespace, commas or colons. The supported protocol names are
+"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p>
-<p> DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail. </p>
+<p> DO NOT set this to a non-default value on an Internet MX host,
+as this may cause inter-operability problems. If you restrict the
+protocol list on an Internet MX host, you may lose mail. </p>
<p> Example: </p>
%PARAM smtp_tls_security_level
-<p> The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. </p>
+<p> The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+</p>
<p> Specify one of the following security levels: </p>
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
+
+%PARAM smtpd_tls_security_level
+
+<p> The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
+"smtpd_tls_wrappermode = yes". </p>
+
+<p> Specify one of the following security levels: </p>
+
+<dl>
+
+<dt><b>none</b></dt> <dd> TLS will not be used. </dd>
+
+<dt><b>may</b></dt> <dd> Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+</dd>
+
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers. </dd>
+
+</dl>
+
+<p> Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see TLS_README for a discussion
+of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
+features. </p>
+
+<p> Note 2: The parameter setting "smtpd_tls_security_level =
+encrypt" implies "smtpd_tls_auth_only = yes".</p>
+
+<p> Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.</p>
{
const char *myname = "cleanup_repl_body";
+ /*
+ * XXX Sendmail compatibility: milters don't see the first body line, so
+ * don't expect they will send one.
+ */
msg_panic("%s: message body replace operation is not implemented", myname);
}
#define DEF_SMTPD_TLS_WRAPPER 0
extern bool var_smtpd_tls_wrappermode;
+#define VAR_SMTPD_TLS_LEVEL "smtpd_tls_security_level"
+#define DEF_SMTPD_TLS_LEVEL ""
+extern char *var_smtpd_tls_level;
+
#define VAR_SMTPD_USE_TLS "smtpd_use_tls"
#define DEF_SMTPD_USE_TLS 0
extern bool var_smtpd_use_tls;
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20060707"
-#define MAIL_VERSION_NUMBER "2.3-RC8"
+#define MAIL_RELEASE_DATE "20060709"
+#define MAIL_VERSION_NUMBER "2.3-RC9"
#define VAR_MAIL_VERSION "mail_version"
#define DEF_MAIL_VERSION MAIL_VERSION_NUMBER
typedef struct {
MILTER8 *milter; /* milter client */
ARGV *macros; /* end-of-body macros */
- int hdr_count; /* header counter */
+ int first_header; /* first header */
+ int first_body; /* first body line */
const char *resp; /* milter application response */
} MILTER_MSG_CONTEXT;
* dk-filter signature will be inserted at the wrong position. It should
* precede the headers that it signs.
*/
- if (msg_ctx->hdr_count++ == 0)
+ if (msg_ctx->first_header) {
+ msg_ctx->first_header = 0;
return;
+ }
/*
* Sendmail 8 sends multi-line headers as text separated by newline.
ssize_t space;
ssize_t count;
+ /*
+ * XXX Sendmail compatibility: don't expose our first body line.
+ */
+ if (msg_ctx->first_body) {
+ msg_ctx->first_body = 0;
+ return;
+ }
+
/*
* XXX I thought I was going to delegate all the on-the-wire formatting
* to a common lower layer, but unfortunately it's not practical. If we
}
msg_ctx.milter = milter;
msg_ctx.macros = macros;
- msg_ctx.hdr_count = 0;
+ msg_ctx.first_header = 1;
+ msg_ctx.first_body = 1;
msg_ctx.resp = 0;
mime_state =
mime_state_alloc(MIME_OPT_DISABLE_MIME,
/* Detailed information about STARTTLS configuration may be found
/* in the TLS_README document.
/* .IP "\fBsmtp_tls_security_level (empty)\fR"
-/* The default SMTP TLS security level for all destinations; when
-/* a non-empty value is specified, this overrides the obsolete parameters
-/* smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+/* The default SMTP TLS security level for the Postfix SMTP client;
+/* when a non-empty value is specified, this overrides the obsolete
+/* parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
/* .IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
/* The SASL authentication security options that the Postfix SMTP
/* client uses for TLS encrypted SMTP sessions.
#endif
-extern NAME_CODE smtp_tls_levels[]; /* smtp_session.c name_code table */
-
/* deliver_message - deliver message with extreme prejudice */
static int deliver_message(const char *service, DELIVER_REQUEST *request)
/*
* Initialize the TLS data before entering the chroot jail
*/
- if (name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE,
- var_smtp_tls_level) > TLS_LEV_NONE ||
+ if (tls_level_lookup(var_smtp_tls_level) > TLS_LEV_NONE ||
var_smtp_use_tls || var_smtp_enforce_tls ||
var_smtp_tls_per_site[0] || var_smtp_tls_policy[0]) {
#ifdef USE_TLS
#include "smtp.h"
#include "smtp_sasl.h"
-NAME_CODE smtp_tls_levels[] = {
- "none", TLS_LEV_NONE,
- "may", TLS_LEV_MAY,
- "encrypt", TLS_LEV_ENCRYPT,
- "verify", TLS_LEV_VERIFY,
- "secure", TLS_LEV_SECURE,
- 0, TLS_LEV_NOTFOUND,
-};
-
#ifdef USE_TLS
static MAPS *tls_policy; /* lookup table(s) */
static const char *policy_name(int tls_level)
{
- const char *name = str_name_code(smtp_tls_levels, tls_level);
+ const char *name = str_tls_level(tls_level);
if (name == 0)
name = "unknown";
msg_warn("ignoring empty tls policy for %s", site_name);
FREE_RETURN(1); /* No further lookups */
}
- *site_level = name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE, tok);
+ *site_level = tls_level_lookup(tok);
if (*site_level == TLS_LEV_NOTFOUND) {
msg_warn("%s: unknown security level '%s' ignored",
str_context(cbuf, site_class, site_name), tok);
* per-site policy.
*/
if (*var_smtp_tls_level) {
- global_level = name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE,
- var_smtp_tls_level);
+ global_level = tls_level_lookup(var_smtp_tls_level);
if (global_level == TLS_LEV_NOTFOUND) {
msg_fatal("%s: unknown TLS security level '%s'",
lmtp ? VAR_LMTP_TLS_LEVEL : VAR_SMTP_TLS_LEVEL,
/* Detailed information about STARTTLS configuration may be
/* found in the TLS_README document.
/* .IP "\fBsmtpd_use_tls (no)\fR"
-/* Opportunistic mode: announce STARTTLS support to SMTP clients,
+/* Opportunistic TLS: announce STARTTLS support to SMTP clients,
/* but do not require that clients use TLS encryption.
/* .IP "\fBsmtpd_enforce_tls (no)\fR"
-/* Enforcement mode: announce STARTTLS support to SMTP clients,
+/* Mandatory TLS: announce STARTTLS support to SMTP clients,
/* and require that clients use TLS encryption.
/* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
/* The SASL authentication security options that the Postfix SMTP
/* .IP "\fBsmtpd_tls_loglevel (0)\fR"
/* Enable additional Postfix SMTP server logging of TLS activity.
/* .IP "\fBsmtpd_tls_protocols (empty)\fR"
-/* The list of TLS protocols supported by the server.
+/* The list of TLS protocols supported by the Postfix SMTP server.
/* .IP "\fBsmtpd_tls_received_header (no)\fR"
/* Request that the Postfix SMTP server produces Received: message
/* headers that include information about the protocol and cipher used,
/* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
/* process requests from the \fBtlsmgr\fR(8) server in order to seed its
/* internal pseudo random number generator (PRNG).
+/* .PP
+/* Available in Postfix version 2.3 and later:
+/* .IP "\fBsmtpd_tls_security_level (empty)\fR"
+/* The SMTP TLS security level for the Postfix SMTP server; when
+/* a non-empty value is specified, this overrides the obsolete parameters
+/* smtpd_use_tls and smtpd_enforce_tls.
/* .IP "\fBtls_high_cipherlist (!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)\fR"
/* The OpenSSL cipherlist for "HIGH" grade ciphers.
/* .IP "\fBtls_medium_cipherlist (!EXPORT:!LOW:ALL:+RC4:@STRENGTH)\fR"
char *var_smtpd_ehlo_dis_words;
char *var_smtpd_ehlo_dis_maps;
+char *var_smtpd_tls_level;
bool var_smtpd_use_tls;
bool var_smtpd_enforce_tls;
bool var_smtpd_tls_wrappermode;
static void pre_jail_init(char *unused_name, char **unused_argv)
{
- int enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
- int use_tls = var_smtpd_use_tls || enforce_tls;
+ int enforce_tls;
+ int use_tls;
/*
* Initialize blacklist/etc. patterns before entering the chroot jail, in
VAR_SMTPD_SASL_ENABLE);
#endif
+ /*
+ * XXX Temporary fix to pretend that we consistently implement TLS
+ * security levels. We implement only a subset for now. If we implement
+ * more levels, wrappermode should override only weaker TLS security
+ * levels.
+ */
+ if (!var_smtpd_tls_wrappermode && *var_smtpd_tls_level) {
+ switch (tls_level_lookup(var_smtpd_tls_level)) {
+ default:
+ msg_warn("%s: ignoring unknown TLS level \"%s\"",
+ VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
+ break;
+ case TLS_LEV_SECURE:
+ case TLS_LEV_VERIFY:
+ msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"",
+ VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
+ /* FALLTHROUGH */
+ case TLS_LEV_ENCRYPT:
+ var_smtpd_enforce_tls = var_smtpd_use_tls = 1;
+ break;
+ case TLS_LEV_MAY:
+ var_smtpd_enforce_tls = 0;
+ var_smtpd_use_tls = 1;
+ break;
+ case TLS_LEV_NONE:
+ var_smtpd_enforce_tls = var_smtpd_use_tls = 0;
+ break;
+ }
+ }
+ enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
+ use_tls = var_smtpd_use_tls || enforce_tls;
+
/*
* Keys can only be loaded when running with suitable permissions. When
- * called from "sendmail -bs" this is not the case, but STARTTLS is not
- * used in this scenario anyhow.
+ * called from "sendmail -bs" this is not the case, so we must not
+ * announce STARTTLS support.
*/
if (getuid() == 0 || getuid() == var_owner_uid) {
if (use_tls) {
VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
#endif
+ VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0,
VAR_SMTPD_MILTERS, DEF_SMTPD_MILTERS, &var_smtpd_milters, 0, 0,
VAR_MILT_CONN_MACROS, DEF_MILT_CONN_MACROS, &var_milt_conn_macros, 0, 0,
/*
* Postfix TLS library.
*/
-#ifdef USE_TLS
#include <tls.h>
-#endif
/*
* Milter library.
SRCS = tls_prng_dev.c tls_prng_egd.c tls_prng_file.c \
tls_prng_exch.c tls_stream.c tls_bio_ops.c tls_misc.c tls_dh.c \
tls_rsa.c tls_verify.c tls_certkey.c tls_session.c \
- tls_client.c tls_server.c tls_scache.c tls_mgr.c tls_seed.c
+ tls_client.c tls_server.c tls_scache.c tls_mgr.c tls_seed.c \
+ tls_level.c
OBJS = tls_prng_dev.o tls_prng_egd.o tls_prng_file.o \
tls_prng_exch.o tls_stream.o tls_bio_ops.o tls_misc.o tls_dh.o \
tls_rsa.o tls_verify.o tls_certkey.o tls_session.o \
- tls_client.o tls_server.o tls_scache.o tls_mgr.o tls_seed.o
+ tls_client.o tls_server.o tls_scache.o tls_mgr.o tls_seed.o \
+ tls_level.o
HDRS = tls.h tls_prng.h tls_scache.h tls_mgr.h
TESTSRC =
DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
tls_dh.o: ../../include/vstring.h
tls_dh.o: tls.h
tls_dh.o: tls_dh.c
+tls_level.o: ../../include/name_code.h
+tls_level.o: ../../include/name_mask.h
+tls_level.o: ../../include/sys_defs.h
+tls_level.o: ../../include/vbuf.h
+tls_level.o: ../../include/vstream.h
+tls_level.o: ../../include/vstring.h
+tls_level.o: tls.h
+tls_level.o: tls_level.c
tls_mgr.o: ../../include/attr.h
tls_mgr.o: ../../include/attr_clnt.h
tls_mgr.o: ../../include/iostuff.h
/* DESCRIPTION
/* .nf
+ /*
+ * Utility library.
+ */
+#include <name_code.h>
+
/*
* TLS enforcement levels. Non-sentinel values also be used to indicate
* the actual security level of a session.
#define TLS_LEV_VERIFY 3 /* certificate verified */
#define TLS_LEV_SECURE 4 /* "secure" verification */
+extern NAME_CODE tls_level_table[];
+
+#define tls_level_lookup(s) name_code(tls_level_table, NAME_CODE_FLAG_NONE, (s))
+#define str_tls_level(l) str_name_code(tls_level_table, (l))
+
#ifdef USE_TLS
/*
--- /dev/null
+/*++
+/* NAME
+/* tls_level 3
+/* SUMMARY
+/* TLS security level conversion
+/* SYNOPSIS
+/* #include <tls.h>
+/*
+/* int tls_level_lookup(name)
+/* const char *name;
+/*
+/* const char *str_tls_level(level)
+/* int level;
+/* DESCRIPTION
+/* The macros in this module convert TLS levels from symbolic
+/* name to internal form and vice versa. The macros are safe
+/* because they evaluate their arguments only once.
+/*
+/* tls_level_lookup() converts a TLS level from symbolic name
+/* to internal form. The result is TLS_NOTFOUND for an unknown
+/* level.
+/*
+/* str_tls_level() converts a TLS level from internal form to
+/* symbolic name. The result is a null pointer for an unknown
+/* level.
+/* SEE ALSO
+/* name_code(3) name to number mapping
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
+/* Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include <sys_defs.h>
+
+/* Utility library. */
+
+#include <name_code.h>
+
+/* TLS library. */
+
+#include <tls.h>
+
+/* Application-specific. */
+
+NAME_CODE tls_level_table[] = {
+ "none", TLS_LEV_NONE,
+ "may", TLS_LEV_MAY,
+ "encrypt", TLS_LEV_ENCRYPT,
+ "verify", TLS_LEV_VERIFY,
+ "secure", TLS_LEV_SECURE,
+ 0, TLS_LEV_NOTFOUND,
+};
projects / thirdparty / postfix.git / commitdiff
