and record ordering code. Eliminated some special-case
handling of zero-weight records (that was already started
in the initial implementation). File: dns/dns_rr.c.
+
+20230224
+
+ Documentation fix (error introduced: Postfix 2.7): In a
+ "make makefiles" example in SASL_README, a backslash-newline
+ inside single quotes produced a broken Makefile. Problem
+ reported by James Brown (Bordo International). Updated "make
+ makefiles" examples, replacing single quotes with double
+ quotes, and inside those quotes replacing \" with \\\" to
+ protect a string-valued macro definition. Files:
+ proto/INSTALL.html, proto/MYSQL_README.html,
+ proto/PGSQL_README.html, proto/postconf.proto,
+ proto/SASL_README.html, proto/SQLITE_README.html.
+
+20230303
+
+ Cleanup: Postfix TLS configuration. Treat "export" and "low"
+ cipher grades as "medium", and ignore "export" and "low"
+ cipherlist settings. These grades are no longer supported
+ in OpenSSL 1.1.1, the minimum version that Postfix requires.
+ Also, update Postfix default settings to exclude the following
+ deprecated or unused ciphers (SEED, IDEA, 3DES, RC2, RC4,
+ RC5), digest (MD5), key exchange algorithms (DH, ECDH), and
+ public key algorithm (DSS). Viktor Dukhovni. Files:
+ proto/postconf.proto, global/mail_params.h, smtp/smtp.c,
+ smtpd/smtpd.c, tls/tls_misc.c, tls/tls_proxy_client_misc.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tls_proxy.h, tlsproxy/tlsproxy.c.
of Postfix configuration files. In order to build Postfix with a configuration
directory other than /etc/postfix, use:
- $ make makefiles CCARGS='-DDEF_CONFIG_DIR=\"/some/where\"'
+ $ make makefiles CCARGS="-DDEF_CONFIG_DIR=\\\"/some/where\\\""
$ make
IMPORTANT: Be sure to get the quotes right. These details matter a lot.
of Postfix configuration files. In order to build Postfix with a configuration
directory other than /etc/postfix, use:
- $ make makefiles CCARGS='-DDEF_CONFIG_DIR=\"/some/where\"'
+ $ make makefiles CCARGS="-DDEF_CONFIG_DIR=\\\"/some/where\\\""
$ make
IMPORTANT: Be sure to get the quotes right. These details matter a lot.
mysqlclient library (and libm) to AUXLIBS_MYSQL, for example:
make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
- 'AUXLIBS_MYSQL=-L/usr/local/mysql/lib -lmysqlclient -lz -lm'
+ "CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include" \
+ "AUXLIBS_MYSQL=-L/usr/local/mysql/lib -lmysqlclient -lz -lm"
If your MySQL shared library is in a directory that the RUN-TIME linker does
not know about, add a "-Wl,-R,/path/to/directory" option after "-lmysqlclient".
On Solaris, use this instead:
make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
- 'AUXLIBS_MYSQL=-L/usr/local/mysql/lib -R/usr/local/mysql/lib \
- -lmysqlclient -lz -lm'
+ "CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include" \
+ "AUXLIBS_MYSQL=-L/usr/local/mysql/lib -R/usr/local/mysql/lib \
+ -lmysqlclient -lz -lm"
Then, just run 'make'. This requires libz, the compression library. Older mysql
implementations build without libz.
% make tidy
% make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_PGSQL -I/usr/local/include/pgsql' \
- 'AUXLIBS_PGSQL=-L/usr/local/lib -lpq'
+ "CCARGS=-DHAS_PGSQL -I/usr/local/include/pgsql" \
+ "AUXLIBS_PGSQL=-L/usr/local/lib -lpq"
If your PostgreSQL shared library is in a directory that the RUN-TIME linker
does not know about, add a "-Wl,-R,/path/to/directory" option after "-lpq".
level directory:
% m\bma\bak\bke\be t\bti\bid\bdy\by # if you have left-over files from a previous build
- % m\bma\bak\bke\be m\bma\bak\bke\bef\bfi\bil\ble\bes\bs C\bCC\bCA\bAR\bRG\bGS\bS=\b='\b'-\b-D\bDU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH \\b\
- -\b-D\bDD\bDE\bEF\bF_\b_S\bSE\bER\bRV\bVE\bER\bR_\b_S\bSA\bAS\bSL\bL_\b_T\bTY\bYP\bPE\bE=\b=\\b\"\b"d\bdo\bov\bve\bec\bco\bot\bt\\b\"\b"'\b'
+ % m\bma\bak\bke\be m\bma\bak\bke\bef\bfi\bil\ble\bes\bs C\bCC\bCA\bAR\bRG\bGS\bS=\b="\b"-\b-D\bDU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH \\b\
+ -\b-D\bDD\bDE\bEF\bF_\b_S\bSE\bER\bRV\bVE\bER\bR_\b_S\bSA\bAS\bSL\bL_\b_T\bTY\bYP\bPE\bE=\b=\\b\\\b\\\b\"\b"d\bdo\bov\bve\bec\bco\bot\bt\\b\\\b\\\b\"\b""\b"
After this, proceed with "make" as described in the INSTALL document.
N\bNo\bot\bte\be
- * The -DDEF_SERVER_SASL_TYPE=\"dovecot\" is not necessary; it just makes
+ * The -DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\" is not necessary; it just makes
Postfix configuration a little more convenient because you don't have to
specify the SASL plug-in type in the Postfix main.cf file (but this may
cause surprises when you switch to a later Postfix version that is built
LDAP_README and TLS_README for details.
% m\bma\bak\bke\be t\bti\bid\bdy\by # if you have left-over files from a previous build
- % m\bma\bak\bke\be m\bma\bak\bke\bef\bfi\bil\ble\bes\bs C\bCC\bCA\bAR\bRG\bGS\bS=\b='\b'-\b-D\bDU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH \\b\
- -\b-D\bDD\bDE\bEF\bF_\b_S\bSE\bER\bRV\bVE\bER\bR_\b_S\bSA\bAS\bSL\bL_\b_T\bTY\bYP\bPE\bE=\b=\\b\"\b"d\bdo\bov\bve\bec\bco\bot\bt\\b\"\b" \\b\
- .\b..\b..\b.C\bCC\bCA\bAR\bRG\bGS\bS o\bop\bpt\bti\bio\bon\bns\bs f\bfo\bor\br L\bLD\bDA\bAP\bP o\bor\br T\bTL\bLS\bS e\bet\btc\bc.\b..\b..\b..\b.'\b' \\b\
- A\bAU\bUX\bXL\bLI\bIB\bBS\bS=\b='\b'.\b..\b..\b.A\bAU\bUX\bXL\bLI\bIB\bBS\bS o\bop\bpt\bti\bio\bon\bns\bs f\bfo\bor\br L\bLD\bDA\bAP\bP o\bor\br T\bTL\bLS\bS e\bet\btc\bc.\b..\b..\b..\b.'\b'
+ % m\bma\bak\bke\be m\bma\bak\bke\bef\bfi\bil\ble\bes\bs C\bCC\bCA\bAR\bRG\bGS\bS=\b="\b"-\b-D\bDU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH \\b\
+ -\b-D\bDD\bDE\bEF\bF_\b_S\bSE\bER\bRV\bVE\bER\bR_\b_S\bSA\bAS\bSL\bL_\b_T\bTY\bYP\bPE\bE=\b=\\b\\\b\\\b\"\b"d\bdo\bov\bve\bec\bco\bot\bt\\b\\\b\\\b\"\b" \\b\
+ .\b..\b..\b.C\bCC\bCA\bAR\bRG\bGS\bS o\bop\bpt\bti\bio\bon\bns\bs f\bfo\bor\br L\bLD\bDA\bAP\bP o\bor\br T\bTL\bLS\bS e\bet\btc\bc.\b..\b..\b..\b."\b" \\b\
+ A\bAU\bUX\bXL\bLI\bIB\bBS\bS=\b="\b".\b..\b..\b.A\bAU\bUX\bXL\bLI\bIB\bBS\bS o\bop\bpt\bti\bio\bon\bns\bs f\bfo\bor\br L\bLD\bDA\bAP\bP o\bor\br T\bTL\bLS\bS e\bet\btc\bc.\b..\b..\b..\b."\b"
B\bBu\bui\bil\bld\bdi\bin\bng\bg C\bCy\byr\bru\bus\bs S\bSA\bAS\bSL\bL s\bsu\bup\bpp\bpo\bor\brt\bt
For example:
make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_SQLITE -I/usr/local/include' \
- 'AUXLIBS_SQLITE=-L/usr/local/lib -lsqlite3 -lpthread'
+ "CCARGS=-DHAS_SQLITE -I/usr/local/include" \
+ "AUXLIBS_SQLITE=-L/usr/local/lib -lsqlite3 -lpthread"
If your SQLite shared library is in a directory that the RUN-TIME linker does
not know about, add a "-Wl,-R,/path/to/directory" option after "-lsqlite3".
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
-Bugfix for messages not delivered after "warning: Unexpected record type 'X'
-============================================================================
-
-Due to a bug introduced in Postfix 3.7.0, a message could falsely
-be flagged as corrupt with "warning: Unexpected record type 'X'".
+Incompatible changes with snapshot 20221228
+===========================================
-Such messages were moved to the "corrupt" queue directory, where
-they may still be found. See below for instructions to deal with
-these falsely flagged messages.
+This introduces the following changes in Postfix TLS support:
-This problem could happen for messages with 5000 or more recipients,
-or with fewer recipients on a busy mail server. The problem was
-first reported by Frank Brendel, and the error conditions were
-reproduced by John Alex.
+- Postfix ignores "export" and "low" cipher list settings, and
+ treats the "export" and "low" cipher grade settings as "medium".
+ These grades are no longer supported in OpenSSL 1.1.1, the minimum
+ version that Postfix requires.
-Please see https://www.postfix.org/announcements/postfix-3.7.3 for
-instructions to identify falsely flagged messages in the Postfix
-queue, and what actions may be taken.
+- Postfix default settings now exclude the following deprecated or
+ unused ciphers (SEED, IDEA, 3DES, RC2, RC4, RC5), digest (MD5),
+ key exchange algorithms (DH, ECDH), and public key algorithm
+ (DSS).
Incompatible changes with snapshot 20221228
===========================================
<blockquote>
<pre>
-$ make makefiles CCARGS='-DDEF_CONFIG_DIR=\"/some/where\"'
+$ make makefiles CCARGS="-DDEF_CONFIG_DIR=\\\"/some/where\\\""
$ make
</pre>
</blockquote>
<blockquote>
<pre>
make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
- '<a href="MYSQL_README.html">AUXLIBS_MYSQL</a>=-L/usr/local/mysql/lib -lmysqlclient -lz -lm'
+ "CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include" \
+ "<a href="MYSQL_README.html">AUXLIBS_MYSQL</a>=-L/usr/local/mysql/lib -lmysqlclient -lz -lm"
</pre>
</blockquote>
<blockquote>
<pre>
make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
-
'<a href="MYSQL_README.html">AUXLIBS_MYSQL</a>=-L/usr/local/mysql/lib -R/usr/local/mysql/lib \
- -lmysqlclient -lz -lm'
+ "CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include" \
+
"<a href="MYSQL_README.html">AUXLIBS_MYSQL</a>=-L/usr/local/mysql/lib -R/usr/local/mysql/lib \
+ -lmysqlclient -lz -lm"
</pre>
</blockquote>
<pre>
% make tidy
% make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_PGSQL -I/usr/local/include/pgsql' \
- '<a href="PGSQL_README.html">AUXLIBS_PGSQL</a>=-L/usr/local/lib -lpq'
+ "CCARGS=-DHAS_PGSQL -I/usr/local/include/pgsql" \
+ "<a href="PGSQL_README.html">AUXLIBS_PGSQL</a>=-L/usr/local/lib -lpq"
</pre>
</blockquote>
<blockquote>
<pre>
% <strong>make tidy</strong> # if you have left-over files from a previous build
-% <strong>make makefiles CCARGS='-DUSE_SASL_AUTH \
- -DDEF_SERVER_SASL_TYPE=\"dovecot\"'</strong>
+% <strong>make makefiles CCARGS="-DUSE_SASL_AUTH \
+ -DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\""</strong>
</pre>
</blockquote>
<li>
-<p> The <code>-DDEF_SERVER_SASL_TYPE=\"dovecot\"</code> is not
+<p> The <code>-DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\"</code> is not
necessary; it just makes Postfix configuration a little more
convenient because you don't have to specify the SASL plug-in type
in the Postfix <a href="postconf.5.html">main.cf</a> file (but this may cause surprises when you
<blockquote>
<pre>
% <strong>make tidy</strong> # if you have left-over files from a previous build
-% <strong>make makefiles CCARGS='-DUSE_SASL_AUTH \
- -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
- ...<i>CCARGS options for LDAP or TLS etc.</i>...' \
- AUXLIBS='...<i>AUXLIBS options for LDAP or TLS etc.</i>...'</strong>
+% <strong>make makefiles CCARGS="-DUSE_SASL_AUTH \
+ -DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\" \
+ ...<i>CCARGS options for LDAP or TLS etc.</i>..." \
+ AUXLIBS="...<i>AUXLIBS options for LDAP or TLS etc.</i>..."</strong>
</pre>
</blockquote>
<blockquote>
<pre>
make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_SQLITE -I/usr/local/include' \
- '<a href="SQLITE_README.html">AUXLIBS_SQLITE</a>=-L/usr/local/lib -lsqlite3 -lpthread'
+ "CCARGS=-DHAS_SQLITE -I/usr/local/include" \
+ "<a href="SQLITE_README.html">AUXLIBS_SQLITE</a>=-L/usr/local/lib -lsqlite3 -lpthread"
</pre>
</blockquote>
<b><a href="postconf.5.html#ignore_srv_lookup_error">ignore_srv_lookup_error</a> (no)</b>
When SRV record lookup fails, fall back to MX or IP address
- lookup as if SRV record lookups were not enabled.
+ lookup as if SRV record lookup was not enabled.
<b><a href="postconf.5.html#allow_srv_lookup_fallback">allow_srv_lookup_fallback</a> (no)</b>
When SRV record lookup fails or no SRV record exists, fall back
- to MX or IP address lookup as if SRV record lookups were not
+ to MX or IP address lookup as if SRV record lookup was not
enabled.
<b>MIME PROCESSING CONTROLS</b>
<b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "medium" or higher grade ciphers.
+ <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
+ The OpenSSL cipherlist for "NULL" grade ciphers that provide
+ authentication without encryption.
+
+ Available in in Postfix version 2.3..3.7:
+
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "low" or higher grade ciphers.
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "export" or higher grade ciphers.
- <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
- The OpenSSL cipherlist for "NULL" grade ciphers that provide
- authentication without encryption.
-
Available in Postfix version 2.4 and later:
<b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> ($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_secu</a>-</b>
(default: no)</b></DT><DD>
<p> When SRV record lookup fails, fall back to MX or IP address
-lookup as if SRV record lookup was not enabled. </>
+lookup as if SRV record lookup was not enabled. </p>
<p> This feature is available in Postfix 3.8 and later. </p>
<p> The following cipher grades are supported: </p>
<dl>
-<dt><b>export</b></dt>
-<dd> Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> configuration
-parameter, which you are strongly encouraged not to change. This
-choice is insecure and SHOULD NOT be used. </dd>
-
-<dt><b>low</b></dt>
-<dd> Enable "LOW" grade or better OpenSSL ciphers. The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> configuration
-parameter, which you are strongly encouraged not to change. This
-choice is insecure and SHOULD NOT be used. </dd>
-
-<dt><b>medium</b></dt>
-<dd> Enable "MEDIUM" grade or better OpenSSL ciphers.
-The underlying cipherlist is specified via the <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a>
-configuration parameter, which you are strongly encouraged not to change.
-</dd>
-
<dt><b>high</b></dt>
<dd> Enable only "HIGH" grade OpenSSL ciphers. This setting may
be appropriate when all mandatory TLS destinations (e.g. when all
<a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> configuration parameter, which you are strongly
encouraged not to change. </dd>
+<dt><b>medium</b></dt>
+<dd> Enable "MEDIUM" grade or better OpenSSL ciphers.
+The underlying cipherlist is specified via the <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a>
+configuration parameter, which you are strongly encouraged not to change.
+</dd>
+
<dt><b>null</b></dt>
<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
without encryption. This setting is only appropriate in the rare case
configuration parameter, which you are strongly encouraged not to
change. </dd>
+<dt><b>low</b></dt>
+<dd> Enable "LOW" grade or stronger OpenSSL ciphers. In Postfix
+≥ 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "LOW" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used. </dd>
+
+<dt><b>export</b></dt>
+<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. In Postfix
+≥ 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "EXPORT" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used. </dd>
+
</dl>
<p> The underlying cipherlists for grades other than "null" include
<p> The following cipher grades are supported: </p>
<dl>
-<dt><b>export</b></dt>
-<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. The
-underlying cipherlist is specified via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a>
-configuration parameter, which you are strongly encouraged not to
-change. This choice is insecure and SHOULD NOT be used. </dd>
-
-<dt><b>low</b></dt>
-<dd> Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> configuration
-parameter, which you are strongly encouraged not to change. This
-choice is insecure and SHOULD NOT be used. </dd>
+<dt><b>high</b></dt>
+<dd> Enable only "HIGH" grade OpenSSL ciphers. The
+underlying cipherlist is specified via the <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a>
+configuration parameter, which you are strongly encouraged to
+not change. </dd>
<dt><b>medium</b></dt>
<dd> Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit
specified via the <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> configuration parameter, which
you are strongly encouraged not to change. </dd>
-<dt><b>high</b></dt>
-<dd> Enable only "HIGH" grade OpenSSL ciphers. The
-underlying cipherlist is specified via the <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a>
-configuration parameter, which you are strongly encouraged to
-not change. </dd>
-
<dt><b>null</b></dt>
<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
without encryption. This setting is only appropriate in the rare
<a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> configuration parameter, which you are strongly
encouraged not to change. </dd>
+<dt><b>low</b></dt>
+<dd> Enable "LOW" grade or stronger OpenSSL ciphers. In Postfix
+≥ 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "LOW" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used. </dd>
+
+<dt><b>export</b></dt>
+<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. In Postfix
+≥ 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "EXPORT" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used. </dd>
+
</dl>
<p> Cipher types listed in
<DT><b><a name="tls_export_cipherlist">tls_export_cipherlist</a>
(default: see "postconf -d" output)</b></DT><DD>
-<p> The OpenSSL cipherlist for "export" or higher grade ciphers. This
-defines the meaning of the "export" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
-<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>,
-<a href="postconf.5.html#lmtp_tls_ciphers">lmtp_tls_ciphers</a>, and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. With Postfix
-releases before the middle of 2015 this is the default cipherlist
-for the opportunistic ("may") TLS client security level and also
-the default cipherlist for the SMTP server. You are strongly
-encouraged not to change this setting. </p>
+<p> The OpenSSL cipherlist for "export" or higher grade ciphers.
+Ignored as of Postfix 3.8. In earlier Postfix releases this
+defined the meaning of the "export" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
+<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>,
+<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>, <a href="postconf.5.html#lmtp_tls_ciphers">lmtp_tls_ciphers</a>, and
+<a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are strongly encouraged not to
+change this setting. </p>
-<p> This feature is available in Postfix 2.3 and later. </p>
+<p> This feature is available in Postfix 2.3 and later. </p>
</DD>
<DT><b><a name="tls_low_cipherlist">tls_low_cipherlist</a>
(default: see "postconf -d" output)</b></DT><DD>
-<p> The OpenSSL cipherlist for "low" or higher grade ciphers. This defines
-the meaning of the "low" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
-<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>,
-<a href="postconf.5.html#lmtp_tls_ciphers">lmtp_tls_ciphers</a>, and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are strongly
-encouraged not to change this setting. </p>
+<p> The OpenSSL cipherlist for "low" or higher grade ciphers.
+Ignored as of Postfix 3.8. In earlier Postfix releases this
+defined the meaning of the "low" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
+<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>,
+<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>, <a href="postconf.5.html#lmtp_tls_ciphers">lmtp_tls_ciphers</a>, and
+<a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are strongly encouraged not to
+change this setting. </p>
-<p> This feature is available in Postfix 2.3 and later. </p>
+<p> This feature is available in Postfix 2.3 and later. </p>
</DD>
<b><a href="postconf.5.html#ignore_srv_lookup_error">ignore_srv_lookup_error</a> (no)</b>
When SRV record lookup fails, fall back to MX or IP address
- lookup as if SRV record lookups were not enabled.
+ lookup as if SRV record lookup was not enabled.
<b><a href="postconf.5.html#allow_srv_lookup_fallback">allow_srv_lookup_fallback</a> (no)</b>
When SRV record lookup fails or no SRV record exists, fall back
- to MX or IP address lookup as if SRV record lookups were not
+ to MX or IP address lookup as if SRV record lookup was not
enabled.
<b>MIME PROCESSING CONTROLS</b>
<b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "medium" or higher grade ciphers.
+ <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
+ The OpenSSL cipherlist for "NULL" grade ciphers that provide
+ authentication without encryption.
+
+ Available in in Postfix version 2.3..3.7:
+
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "low" or higher grade ciphers.
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "export" or higher grade ciphers.
- <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
- The OpenSSL cipherlist for "NULL" grade ciphers that provide
- authentication without encryption.
-
Available in Postfix version 2.4 and later:
<b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> ($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_secu</a>-</b>
<b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "medium" or higher grade ciphers.
+ <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
+ The OpenSSL cipherlist for "NULL" grade ciphers that provide
+ authentication without encryption.
+
+ Available in Postfix version 2.3..3.7:
+
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "low" or higher grade ciphers.
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "export" or higher grade ciphers.
- <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
- The OpenSSL cipherlist for "NULL" grade ciphers that provide
- authentication without encryption.
-
Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> (see 'postconf -d' output)</b>
<b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "medium" or higher grade ciphers.
- <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b>
- The OpenSSL cipherlist for "low" or higher grade ciphers.
-
- <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b>
- The OpenSSL cipherlist for "export" or higher grade ciphers.
-
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption.
erence order instead of the remote client's cipher preference
order.
+ Available in Postfix version 2.8..3.7:
+
+ <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b>
+ The OpenSSL cipherlist for "low" or higher grade ciphers.
+
+ <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b>
+ The OpenSSL cipherlist for "export" or higher grade ciphers.
+
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a> (no)</b>
mis\-delivery of mail.
.SH ignore_srv_lookup_error (default: no)
When SRV record lookup fails, fall back to MX or IP address
-lookup as if SRV record lookup was not enabled. </>
+lookup as if SRV record lookup was not enabled.
.PP
This feature is available in Postfix 3.8 and later.
.SH import_environment (default: see "postconf \-d" output)
on a per\-destination basis.
.PP
The following cipher grades are supported:
-.IP "\fBexport\fR"
-Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
-cipherlist is specified via the tls_export_cipherlist configuration
-parameter, which you are strongly encouraged not to change. This
-choice is insecure and SHOULD NOT be used.
-.br
-.IP "\fBlow\fR"
-Enable "LOW" grade or better OpenSSL ciphers. The underlying
-cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged not to change. This
-choice is insecure and SHOULD NOT be used.
-.br
-.IP "\fBmedium\fR"
-Enable "MEDIUM" grade or better OpenSSL ciphers.
-The underlying cipherlist is specified via the tls_medium_cipherlist
-configuration parameter, which you are strongly encouraged not to change.
-.br
.IP "\fBhigh\fR"
Enable only "HIGH" grade OpenSSL ciphers. This setting may
be appropriate when all mandatory TLS destinations (e.g. when all
tls_high_cipherlist configuration parameter, which you are strongly
encouraged not to change.
.br
+.IP "\fBmedium\fR"
+Enable "MEDIUM" grade or better OpenSSL ciphers.
+The underlying cipherlist is specified via the tls_medium_cipherlist
+configuration parameter, which you are strongly encouraged not to change.
+.br
.IP "\fBnull\fR"
Enable only the "NULL" OpenSSL ciphers, these provide authentication
without encryption. This setting is only appropriate in the rare case
configuration parameter, which you are strongly encouraged not to
change.
.br
+.IP "\fBlow\fR"
+Enable "LOW" grade or stronger OpenSSL ciphers. In Postfix
+>= 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "LOW" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the tls_low_cipherlist configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used.
+.br
+.IP "\fBexport\fR"
+Enable "EXPORT" grade or stronger OpenSSL ciphers. In Postfix
+>= 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "EXPORT" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the tls_export_cipherlist configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used.
+.br
.br
.PP
The underlying cipherlists for grades other than "null" include
one "medium" or "high" grade cipher.
.PP
The following cipher grades are supported:
-.IP "\fBexport\fR"
-Enable "EXPORT" grade or stronger OpenSSL ciphers. The
-underlying cipherlist is specified via the tls_export_cipherlist
-configuration parameter, which you are strongly encouraged not to
-change. This choice is insecure and SHOULD NOT be used.
-.br
-.IP "\fBlow\fR"
-Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
-cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged not to change. This
-choice is insecure and SHOULD NOT be used.
+.IP "\fBhigh\fR"
+Enable only "HIGH" grade OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_high_cipherlist
+configuration parameter, which you are strongly encouraged to
+not change.
.br
.IP "\fBmedium\fR"
Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128\-bit
specified via the tls_medium_cipherlist configuration parameter, which
you are strongly encouraged not to change.
.br
-.IP "\fBhigh\fR"
-Enable only "HIGH" grade OpenSSL ciphers. The
-underlying cipherlist is specified via the tls_high_cipherlist
-configuration parameter, which you are strongly encouraged to
-not change.
-.br
.IP "\fBnull\fR"
Enable only the "NULL" OpenSSL ciphers, these provide authentication
without encryption. This setting is only appropriate in the rare
tls_null_cipherlist configuration parameter, which you are strongly
encouraged not to change.
.br
+.IP "\fBlow\fR"
+Enable "LOW" grade or stronger OpenSSL ciphers. In Postfix
+>= 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "LOW" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the tls_low_cipherlist configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used.
+.br
+.IP "\fBexport\fR"
+Enable "EXPORT" grade or stronger OpenSSL ciphers. In Postfix
+>= 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "EXPORT" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the tls_export_cipherlist configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used.
+.br
.br
.PP
Cipher types listed in
compiled and linked with OpenSSL 1.0.0 or later on platforms where
EC algorithms have not been disabled by the vendor.
.SH tls_export_cipherlist (default: see "postconf \-d" output)
-The OpenSSL cipherlist for "export" or higher grade ciphers. This
-defines the meaning of the "export" setting in smtpd_tls_ciphers,
-smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
-lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. With Postfix
-releases before the middle of 2015 this is the default cipherlist
-for the opportunistic ("may") TLS client security level and also
-the default cipherlist for the SMTP server. You are strongly
-encouraged not to change this setting.
+The OpenSSL cipherlist for "export" or higher grade ciphers.
+Ignored as of Postfix 3.8. In earlier Postfix releases this
+defined the meaning of the "export" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers,
+smtp_tls_mandatory_ciphers, lmtp_tls_ciphers, and
+lmtp_tls_mandatory_ciphers. You are strongly encouraged not to
+change this setting.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_fast_shutdown_enable (default: yes)
.PP
This feature is available in Postfix 2.9.6 and later.
.SH tls_low_cipherlist (default: see "postconf \-d" output)
-The OpenSSL cipherlist for "low" or higher grade ciphers. This defines
-the meaning of the "low" setting in smtpd_tls_ciphers,
-smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
-lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
-encouraged not to change this setting.
+The OpenSSL cipherlist for "low" or higher grade ciphers.
+Ignored as of Postfix 3.8. In earlier Postfix releases this
+defined the meaning of the "low" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers,
+smtp_tls_mandatory_ciphers, lmtp_tls_ciphers, and
+lmtp_tls_mandatory_ciphers. You are strongly encouraged not to
+change this setting.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_medium_cipherlist (default: see "postconf \-d" output)
records.
.IP "\fBignore_srv_lookup_error (no)\fR"
When SRV record lookup fails, fall back to MX or IP address
-lookup as if SRV record lookups were not enabled.
+lookup as if SRV record lookup was not enabled.
.IP "\fBallow_srv_lookup_fallback (no)\fR"
When SRV record lookup fails or no SRV record exists, fall back
-to MX or IP address lookup as if SRV record lookups were not enabled.
+to MX or IP address lookup as if SRV record lookup was not enabled.
.SH "MIME PROCESSING CONTROLS"
.na
.nf
The OpenSSL cipherlist for "high" grade ciphers.
.IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "medium" or higher grade ciphers.
+.IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
+The OpenSSL cipherlist for "NULL" grade ciphers that provide
+authentication without encryption.
+.PP
+Available in in Postfix version 2.3..3.7:
.IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "low" or higher grade ciphers.
.IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "export" or higher grade ciphers.
-.IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
-The OpenSSL cipherlist for "NULL" grade ciphers that provide
-authentication without encryption.
.PP
Available in Postfix version 2.4 and later:
.IP "\fBsmtp_sasl_tls_verified_security_options ($smtp_sasl_tls_security_options)\fR"
The OpenSSL cipherlist for "high" grade ciphers.
.IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "medium" or higher grade ciphers.
+.IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
+The OpenSSL cipherlist for "NULL" grade ciphers that provide
+authentication without encryption.
+.PP
+Available in Postfix version 2.3..3.7:
.IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "low" or higher grade ciphers.
.IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "export" or higher grade ciphers.
-.IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
-The OpenSSL cipherlist for "NULL" grade ciphers that provide
-authentication without encryption.
.PP
Available in Postfix version 2.5 and later:
.IP "\fBsmtpd_tls_fingerprint_digest (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "high" grade ciphers.
.IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "medium" or higher grade ciphers.
-.IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
-The OpenSSL cipherlist for "low" or higher grade ciphers.
-.IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
-The OpenSSL cipherlist for "export" or higher grade ciphers.
.IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption.
preference order instead of the remote client's cipher preference
order.
.PP
+Available in Postfix version 2.8..3.7:
+.IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
+The OpenSSL cipherlist for "low" or higher grade ciphers.
+.IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
+The OpenSSL cipherlist for "export" or higher grade ciphers.
+.PP
Available in Postfix version 2.9 and later:
.IP "\fBtls_legacy_public_key_fingerprints (no)\fR"
A temporary migration aid for sites that use certificate
<blockquote>
<pre>
-$ make makefiles CCARGS='-DDEF_CONFIG_DIR=\"/some/where\"'
+$ make makefiles CCARGS="-DDEF_CONFIG_DIR=\\\"/some/where\\\""
$ make
</pre>
</blockquote>
<blockquote>
<pre>
make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
- 'AUXLIBS_MYSQL=-L/usr/local/mysql/lib -lmysqlclient -lz -lm'
+ "CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include" \
+ "AUXLIBS_MYSQL=-L/usr/local/mysql/lib -lmysqlclient -lz -lm"
</pre>
</blockquote>
<blockquote>
<pre>
make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
- 'AUXLIBS_MYSQL=-L/usr/local/mysql/lib -R/usr/local/mysql/lib \
- -lmysqlclient -lz -lm'
+ "CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include" \
+ "AUXLIBS_MYSQL=-L/usr/local/mysql/lib -R/usr/local/mysql/lib \
+ -lmysqlclient -lz -lm"
</pre>
</blockquote>
<pre>
% make tidy
% make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_PGSQL -I/usr/local/include/pgsql' \
- 'AUXLIBS_PGSQL=-L/usr/local/lib -lpq'
+ "CCARGS=-DHAS_PGSQL -I/usr/local/include/pgsql" \
+ "AUXLIBS_PGSQL=-L/usr/local/lib -lpq"
</pre>
</blockquote>
<blockquote>
<pre>
% <strong>make tidy</strong> # if you have left-over files from a previous build
-% <strong>make makefiles CCARGS='-DUSE_SASL_AUTH \
- -DDEF_SERVER_SASL_TYPE=\"dovecot\"'</strong>
+% <strong>make makefiles CCARGS="-DUSE_SASL_AUTH \
+ -DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\""</strong>
</pre>
</blockquote>
<li>
-<p> The <code>-DDEF_SERVER_SASL_TYPE=\"dovecot\"</code> is not
+<p> The <code>-DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\"</code> is not
necessary; it just makes Postfix configuration a little more
convenient because you don't have to specify the SASL plug-in type
in the Postfix main.cf file (but this may cause surprises when you
<blockquote>
<pre>
% <strong>make tidy</strong> # if you have left-over files from a previous build
-% <strong>make makefiles CCARGS='-DUSE_SASL_AUTH \
- -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
- ...<i>CCARGS options for LDAP or TLS etc.</i>...' \
- AUXLIBS='...<i>AUXLIBS options for LDAP or TLS etc.</i>...'</strong>
+% <strong>make makefiles CCARGS="-DUSE_SASL_AUTH \
+ -DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\" \
+ ...<i>CCARGS options for LDAP or TLS etc.</i>..." \
+ AUXLIBS="...<i>AUXLIBS options for LDAP or TLS etc.</i>..."</strong>
</pre>
</blockquote>
<blockquote>
<pre>
make -f Makefile.init makefiles \
- 'CCARGS=-DHAS_SQLITE -I/usr/local/include' \
- 'AUXLIBS_SQLITE=-L/usr/local/lib -lsqlite3 -lpthread'
+ "CCARGS=-DHAS_SQLITE -I/usr/local/include" \
+ "AUXLIBS_SQLITE=-L/usr/local/lib -lsqlite3 -lpthread"
</pre>
</blockquote>
<p> The following cipher grades are supported: </p>
<dl>
-<dt><b>export</b></dt>
-<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. The
-underlying cipherlist is specified via the tls_export_cipherlist
-configuration parameter, which you are strongly encouraged not to
-change. This choice is insecure and SHOULD NOT be used. </dd>
-
-<dt><b>low</b></dt>
-<dd> Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
-cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged not to change. This
-choice is insecure and SHOULD NOT be used. </dd>
+<dt><b>high</b></dt>
+<dd> Enable only "HIGH" grade OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_high_cipherlist
+configuration parameter, which you are strongly encouraged to
+not change. </dd>
<dt><b>medium</b></dt>
<dd> Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit
specified via the tls_medium_cipherlist configuration parameter, which
you are strongly encouraged not to change. </dd>
-<dt><b>high</b></dt>
-<dd> Enable only "HIGH" grade OpenSSL ciphers. The
-underlying cipherlist is specified via the tls_high_cipherlist
-configuration parameter, which you are strongly encouraged to
-not change. </dd>
-
<dt><b>null</b></dt>
<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
without encryption. This setting is only appropriate in the rare
tls_null_cipherlist configuration parameter, which you are strongly
encouraged not to change. </dd>
+<dt><b>low</b></dt>
+<dd> Enable "LOW" grade or stronger OpenSSL ciphers. In Postfix
+≥ 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "LOW" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the tls_low_cipherlist configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used. </dd>
+
+<dt><b>export</b></dt>
+<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. In Postfix
+≥ 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "EXPORT" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the tls_export_cipherlist configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used. </dd>
+
</dl>
<p> Cipher types listed in
<p> The following cipher grades are supported: </p>
<dl>
-<dt><b>export</b></dt>
-<dd> Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
-cipherlist is specified via the tls_export_cipherlist configuration
-parameter, which you are strongly encouraged not to change. This
-choice is insecure and SHOULD NOT be used. </dd>
-
-<dt><b>low</b></dt>
-<dd> Enable "LOW" grade or better OpenSSL ciphers. The underlying
-cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged not to change. This
-choice is insecure and SHOULD NOT be used. </dd>
-
-<dt><b>medium</b></dt>
-<dd> Enable "MEDIUM" grade or better OpenSSL ciphers.
-The underlying cipherlist is specified via the tls_medium_cipherlist
-configuration parameter, which you are strongly encouraged not to change.
-</dd>
-
<dt><b>high</b></dt>
<dd> Enable only "HIGH" grade OpenSSL ciphers. This setting may
be appropriate when all mandatory TLS destinations (e.g. when all
tls_high_cipherlist configuration parameter, which you are strongly
encouraged not to change. </dd>
+<dt><b>medium</b></dt>
+<dd> Enable "MEDIUM" grade or better OpenSSL ciphers.
+The underlying cipherlist is specified via the tls_medium_cipherlist
+configuration parameter, which you are strongly encouraged not to change.
+</dd>
+
<dt><b>null</b></dt>
<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
without encryption. This setting is only appropriate in the rare case
configuration parameter, which you are strongly encouraged not to
change. </dd>
+<dt><b>low</b></dt>
+<dd> Enable "LOW" grade or stronger OpenSSL ciphers. In Postfix
+≥ 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "LOW" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the tls_low_cipherlist configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used. </dd>
+
+<dt><b>export</b></dt>
+<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. In Postfix
+≥ 3.8 this cipher grade is always identical to "medium". Recent
+versions of OpenSSL do not support any "EXPORT" grade ciphers. In
+earlier Postfix releases the underlying cipherlist was specified
+via the tls_export_cipherlist configuration parameter, which you are
+strongly encouraged not to change. This obsolete cipher grade
+SHOULD NOT be used. </dd>
+
</dl>
<p> The underlying cipherlists for grades other than "null" include
%PARAM tls_low_cipherlist see "postconf -d" output
-<p> The OpenSSL cipherlist for "low" or higher grade ciphers. This defines
-the meaning of the "low" setting in smtpd_tls_ciphers,
-smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
-lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
-encouraged not to change this setting. </p>
+<p> The OpenSSL cipherlist for "low" or higher grade ciphers.
+Ignored as of Postfix 3.8. In earlier Postfix releases this
+defined the meaning of the "low" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers,
+smtp_tls_mandatory_ciphers, lmtp_tls_ciphers, and
+lmtp_tls_mandatory_ciphers. You are strongly encouraged not to
+change this setting. </p>
-<p> This feature is available in Postfix 2.3 and later. </p>
+<p> This feature is available in Postfix 2.3 and later. </p>
%PARAM tls_export_cipherlist see "postconf -d" output
-<p> The OpenSSL cipherlist for "export" or higher grade ciphers. This
-defines the meaning of the "export" setting in smtpd_tls_ciphers,
-smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
-lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. With Postfix
-releases before the middle of 2015 this is the default cipherlist
-for the opportunistic ("may") TLS client security level and also
-the default cipherlist for the SMTP server. You are strongly
-encouraged not to change this setting. </p>
+<p> The OpenSSL cipherlist for "export" or higher grade ciphers.
+Ignored as of Postfix 3.8. In earlier Postfix releases this
+defined the meaning of the "export" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers,
+smtp_tls_mandatory_ciphers, lmtp_tls_ciphers, and
+lmtp_tls_mandatory_ciphers. You are strongly encouraged not to
+change this setting. </p>
-<p> This feature is available in Postfix 2.3 and later. </p>
+<p> This feature is available in Postfix 2.3 and later. </p>
%PARAM tls_null_cipherlist eNULL:!aNULL
%PARAM ignore_srv_lookup_error no
<p> When SRV record lookup fails, fall back to MX or IP address
-lookup as if SRV record lookup was not enabled. </>
+lookup as if SRV record lookup was not enabled. </p>
<p> This feature is available in Postfix 3.8 and later. </p>
USE_FNV_32BIT USE_FNV_32BIT
void void cleanup_milter_receive state count
struct DICT open const char int int dict_xx_open
+ Available in in Postfix version 2 3 3 7
smtp smtp_connect c smtp smtp h smtp smtp_params c
arguments Files src dns dns h src dns dns_rr_eq_sa c
only a subset of all arguments Files src dns dns h
+ global mail_params h smtp smtp c smtpd smtpd c tls tls_misc c
+ global mail_params h smtp smtp c smtpd smtpd c tls tls_misc c
+ tls tls_proxy_client_scan c tls tls_proxy h tlsproxy tlsproxy c
+ smtp smtp c smtpd smtpd c tls tls_misc c
+ smtp smtp c smtpd smtpd c tls tls_misc c
+proto proto SASL_README html proto SQLITE_README html
NOPREF
NOWEIGHT
modernisms
+Bordo
/*
* TLS cipherlists
*/
+ /* Deprecated and unused cipher, key exchange and public key algorithms */
+#define TLS_EXCL_CIPHS ":!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5"
+#define TLS_EXCL_KEXCH ":!kDH:!kECDH"
+#define TLS_EXCL_PKEYS ":!aDSS"
+#define TLS_EXCL_DGSTS ":!MD5"
+#define TLS_EXCL TLS_EXCL_CIPHS TLS_EXCL_REST
+#define TLS_EXCL_REST TLS_EXCL_KEXCH TLS_EXCL_PKEYS TLS_EXCL_DGSTS
+
#define VAR_TLS_HIGH_CLIST "tls_high_cipherlist"
-#define DEF_TLS_HIGH_CLIST "aNULL:-aNULL:HIGH:@STRENGTH"
+#define DEF_TLS_HIGH_CLIST "aNULL:-aNULL:HIGH" TLS_EXCL ":@STRENGTH"
extern char *var_tls_high_clist;
#define VAR_TLS_MEDIUM_CLIST "tls_medium_cipherlist"
-#define DEF_TLS_MEDIUM_CLIST "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
+#define DEF_TLS_MEDIUM_CLIST "aNULL:-aNULL:HIGH:MEDIUM" TLS_EXCL ":+RC4:@STRENGTH"
extern char *var_tls_medium_clist;
#define VAR_TLS_LOW_CLIST "tls_low_cipherlist"
-#define DEF_TLS_LOW_CLIST "aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH"
-extern char *var_tls_low_clist;
+#define DEF_TLS_LOW_CLIST ""
+extern char *var_tls_low_ignored;
#define VAR_TLS_EXPORT_CLIST "tls_export_cipherlist"
-#define DEF_TLS_EXPORT_CLIST "aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH"
-extern char *var_tls_export_clist;
+#define DEF_TLS_EXPORT_CLIST ""
+extern char *var_tls_export_ignored;
#define VAR_TLS_NULL_CLIST "tls_null_cipherlist"
-#define DEF_TLS_NULL_CLIST "eNULL:!aNULL"
+#define DEF_TLS_NULL_CLIST "eNULL" TLS_EXCL_REST ":!aNULL"
extern char *var_tls_null_clist;
#if defined(SN_X25519) && defined(NID_X25519)
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20230219"
+#define MAIL_RELEASE_DATE "20230304"
#define MAIL_VERSION_NUMBER "3.8"
#ifdef SNAPSHOT
/* records.
/* .IP "\fBignore_srv_lookup_error (no)\fR"
/* When SRV record lookup fails, fall back to MX or IP address
-/* lookup as if SRV record lookups were not enabled.
+/* lookup as if SRV record lookup was not enabled.
/* .IP "\fBallow_srv_lookup_fallback (no)\fR"
/* When SRV record lookup fails or no SRV record exists, fall back
-/* to MX or IP address lookup as if SRV record lookups were not enabled.
+/* to MX or IP address lookup as if SRV record lookup was not enabled.
/* MIME PROCESSING CONTROLS
/* .ad
/* .fi
/* The OpenSSL cipherlist for "high" grade ciphers.
/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "medium" or higher grade ciphers.
+/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
+/* The OpenSSL cipherlist for "NULL" grade ciphers that provide
+/* authentication without encryption.
+/* .PP
+/* Available in in Postfix version 2.3..3.7:
/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "low" or higher grade ciphers.
/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "export" or higher grade ciphers.
-/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
-/* The OpenSSL cipherlist for "NULL" grade ciphers that provide
-/* authentication without encryption.
/* .PP
/* Available in Postfix version 2.4 and later:
/* .IP "\fBsmtp_sasl_tls_verified_security_options ($smtp_sasl_tls_security_options)\fR"
/* The OpenSSL cipherlist for "high" grade ciphers.
/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "medium" or higher grade ciphers.
+/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
+/* The OpenSSL cipherlist for "NULL" grade ciphers that provide
+/* authentication without encryption.
+/* .PP
+/* Available in Postfix version 2.3..3.7:
/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "low" or higher grade ciphers.
/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "export" or higher grade ciphers.
-/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
-/* The OpenSSL cipherlist for "NULL" grade ciphers that provide
-/* authentication without encryption.
/* .PP
/* Available in Postfix version 2.5 and later:
/* .IP "\fBsmtpd_tls_fingerprint_digest (see 'postconf -d' output)\fR"
/*
/* char *var_tls_high_clist;
/* char *var_tls_medium_clist;
-/* char *var_tls_low_clist;
-/* char *var_tls_export_clist;
/* char *var_tls_null_clist;
/* char *var_tls_eecdh_auto;
/* char *var_tls_eecdh_strong;
/* contains invalid protocol names, TLS_PROTOCOL_INVALID is returned and
/* no warning is logged.
/*
-/* tls_cipher_grade() converts a case-insensitive cipher grade
-/* name (high, medium, low, export, null) to the corresponding
-/* TLS_CIPHER_ constant. When the input specifies an unrecognized
-/* grade, tls_cipher_grade() logs no warning, and returns
-/* TLS_CIPHER_NONE.
+/* tls_cipher_grade() converts a case-insensitive cipher grade name (high,
+/* medium, null) to the corresponding TLS_CIPHER_ constant. When the
+/* input specifies an unrecognized grade, tls_cipher_grade() logs no
+/* warning, and returns TLS_CIPHER_NONE.
/*
/* str_tls_cipher_grade() converts a cipher grade to a name.
/* When the input specifies an undefined grade, str_tls_cipher_grade()
*/
char *var_tls_high_clist;
char *var_tls_medium_clist;
-char *var_tls_low_clist;
-char *var_tls_export_clist;
+char *var_tls_low_ignored;
+char *var_tls_export_ignored;
char *var_tls_null_clist;
int var_tls_daemon_rand_bytes;
char *var_tls_eecdh_auto;
const NAME_CODE tls_cipher_grade_table[] = {
"high", TLS_CIPHER_HIGH,
"medium", TLS_CIPHER_MEDIUM,
- "low", TLS_CIPHER_LOW,
- "export", TLS_CIPHER_EXPORT,
+ "low", TLS_CIPHER_MEDIUM,
+ "export", TLS_CIPHER_MEDIUM,
"null", TLS_CIPHER_NULL,
"invalid", TLS_CIPHER_NONE,
0, TLS_CIPHER_NONE,
static const CONFIG_STR_TABLE str_table[] = {
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
- VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
- VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0,
+ VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_ignored, 0, 0,
+ VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_ignored, 0, 0,
VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 0, 0,
VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 1, 0,
case TLS_CIPHER_MEDIUM:
vstring_strcpy(buf, var_tls_medium_clist);
break;
- case TLS_CIPHER_LOW:
- vstring_strcpy(buf, var_tls_low_clist);
- break;
- case TLS_CIPHER_EXPORT:
- vstring_strcpy(buf, var_tls_export_clist);
- break;
case TLS_CIPHER_NULL:
vstring_strcpy(buf, var_tls_null_clist);
break;
typedef struct TLS_CLIENT_PARAMS {
char *tls_high_clist;
char *tls_medium_clist;
- char *tls_low_clist;
- char *tls_export_clist;
char *tls_null_clist;
char *tls_eecdh_auto;
char *tls_eecdh_strong;
} TLS_CLIENT_PARAMS;
#define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
- a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19) \
+ a9, a10, a11, a12, a13, a14, a15, a16, a17) \
(((params)->a1), ((params)->a2), ((params)->a3), \
((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
- ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19))
+ ((params)->a16), ((params)->a17))
/*
* tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
TLS_PROXY_PARAMS(params,
tls_high_clist = var_tls_high_clist,
tls_medium_clist = var_tls_medium_clist,
- tls_low_clist = var_tls_low_clist,
- tls_export_clist = var_tls_export_clist,
tls_null_clist = var_tls_null_clist,
tls_eecdh_auto = var_tls_eecdh_auto,
tls_eecdh_strong = var_tls_eecdh_strong,
SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
params->tls_medium_clist),
- SEND_ATTR_STR(VAR_TLS_LOW_CLIST, params->tls_low_clist),
- SEND_ATTR_STR(VAR_TLS_EXPORT_CLIST,
- params->tls_export_clist),
SEND_ATTR_STR(VAR_TLS_NULL_CLIST, params->tls_null_clist),
SEND_ATTR_STR(VAR_TLS_EECDH_AUTO, params->tls_eecdh_auto),
SEND_ATTR_STR(VAR_TLS_EECDH_STRONG,
{
myfree(params->tls_high_clist);
myfree(params->tls_medium_clist);
- myfree(params->tls_low_clist);
- myfree(params->tls_export_clist);
myfree(params->tls_null_clist);
myfree(params->tls_eecdh_auto);
myfree(params->tls_eecdh_strong);
int ret;
VSTRING *tls_high_clist = vstring_alloc(25);
VSTRING *tls_medium_clist = vstring_alloc(25);
- VSTRING *tls_low_clist = vstring_alloc(25);
- VSTRING *tls_export_clist = vstring_alloc(25);
VSTRING *tls_null_clist = vstring_alloc(25);
VSTRING *tls_eecdh_auto = vstring_alloc(25);
VSTRING *tls_eecdh_strong = vstring_alloc(25);
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
- RECV_ATTR_STR(VAR_TLS_LOW_CLIST, tls_low_clist),
- RECV_ATTR_STR(VAR_TLS_EXPORT_CLIST, tls_export_clist),
RECV_ATTR_STR(VAR_TLS_NULL_CLIST, tls_null_clist),
RECV_ATTR_STR(VAR_TLS_EECDH_AUTO, tls_eecdh_auto),
RECV_ATTR_STR(VAR_TLS_EECDH_STRONG, tls_eecdh_strong),
/* Always construct a well-formed structure. */
params->tls_high_clist = vstring_export(tls_high_clist);
params->tls_medium_clist = vstring_export(tls_medium_clist);
- params->tls_low_clist = vstring_export(tls_low_clist);
- params->tls_export_clist = vstring_export(tls_export_clist);
params->tls_null_clist = vstring_export(tls_null_clist);
params->tls_eecdh_auto = vstring_export(tls_eecdh_auto);
params->tls_eecdh_strong = vstring_export(tls_eecdh_strong);
params->tls_mgr_service = vstring_export(tls_mgr_service);
params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
- ret = (ret == 19 ? 1 : -1);
+ ret = (ret == 17 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_param_free(params);
params = 0;
/* The OpenSSL cipherlist for "high" grade ciphers.
/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "medium" or higher grade ciphers.
-/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
-/* The OpenSSL cipherlist for "low" or higher grade ciphers.
-/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
-/* The OpenSSL cipherlist for "export" or higher grade ciphers.
/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
/* The OpenSSL cipherlist for "NULL" grade ciphers that provide
/* authentication without encryption.
/* preference order instead of the remote client's cipher preference
/* order.
/* .PP
+/* Available in Postfix version 2.8..3.7:
+/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
+/* The OpenSSL cipherlist for "low" or higher grade ciphers.
+/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
+/* The OpenSSL cipherlist for "export" or higher grade ciphers.
+/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBtls_legacy_public_key_fingerprints (no)\fR"
/* A temporary migration aid for sites that use certificate
projects / thirdparty / postfix.git / commitdiff
