with the "encoding" configuration file attribute. The default
is "UTF8". Previously the encoding was hard-coded as "LATIN1".
Files: global/dict_pgsql,c, proto/pgsql_table.
+
+20220512
+
+ Documentation: in the text for smtpd_reject_unlisted_sender
+ and smtpd_reject_unlisted_recipient, refer to the address
+ class validation in ADDRESS_CLASS_README, instead of repeating
+ that information in postconf(5). File: proto/postconf.proto.
+
+20220515
+
+ Documentation: the text for reject_xxx_sender_login_mismatch
+ was not optimal for clarity. As new features were added
+ over time, they were documented in terms of the existing
+ features. File: proto/postconf.proto.
+
+ Documentation: minor tweaks in ADDRESS_CLASS_README. File:
+ proto/ADDRESS_CLASS_README.html.
+
+20220523
+
+ Documentation: add the Postfix >= 3.7 postlog(1) command
+ to the list of programs that can have set-gid permissions.
+ File: proto/MAILLOG_README.html.
+
+20220527
+
+ Internal documentation: update the timeline annotations of
+ Milter protocol features. File: milter/milter8.c.
+
+ Documentation: edit text for clarity. File:
+ proto/MILTER_README.html.
An address class is defined by three items.
- * The list of domains that are a member of the class: for example, all local
- domains, or all relay domains.
+ * The list of domains that are a member of that address class: for example,
+ all local domains, or all relay domains.
- * The default delivery transport. For example, the local, virtual or relay
- delivery transport (delivery transports are defined in master.cf). This
- helps to keep Postfix configurations simple, by avoiding the need for
- explicit routing information in transport maps.
+ * The default delivery transport for that address class. For example, the
+ local, virtual or relay delivery transport (delivery transports are defined
+ in master.cf). This helps to keep Postfix configurations simple, by
+ avoiding the need for explicit routing information in transport maps.
* The list of valid recipient addresses for that address class. The Postfix
SMTP server rejects invalid recipients with "User unknown in <name of
* Purpose: final delivery for traditional UNIX system accounts and
traditional Sendmail-style aliases. This is typically used for the
- canonical domains of the machine. For a discussion of the difference
- between canonical domains, hosted domains and other domains, see the
- VIRTUAL_README file.
+ canonical domains of the machine (for example, $myhostname, $mydomain). For
+ a discussion of the difference between canonical domains, hosted domains
+ and other domains, see the VIRTUAL_README file.
* Domain names are listed with the mydestination parameter. This domain class
also includes mail for user@[ipaddress] when the IP address is listed with
The virtual alias domain class.
- * Purpose: hosted domains where each recipient address is aliased to a local
- UNIX system account or to a remote address. A virtual alias example is
- given in the VIRTUAL_README file.
+ * Purpose: hosted domains where each recipient address is aliased to an
+ address in a different domain, for example, a local UNIX system account or
+ a remote address. A virtual alias example is given in the VIRTUAL_README
+ file.
* Domain names are listed in virtual_alias_domains. The default value is
$virtual_alias_maps for Postfix 1.1 compatibility.
compatibility.
* There is no mail delivery transport parameter. Every address must be
- aliased to some other address.
+ aliased to an address in some other domain.
The virtual mailbox domain class.
mail (and bounced undeliverable mail) out of the mail queue. This is
controlled by the smtpd_reject_unlisted_recipient configuration parameter.
- * As of Postfix version 2.1, the SMTP server also rejects unknown sender
- addresses (i.e. addresses that it would reject as unknown recipient
+ * As of Postfix version 2.1, the SMTP server can also reject unknown sender
+ addresses (i.e. addresses that it would reject as an unknown recipient
addresses). Sender "egress filtering" can help to slow down an email worm
explosion. This is controlled by the smtpd_reject_unlisted_sender
configuration parameter.
$maillog_file (also, logging to stdout would interfere with the operation
of some of these programs). These programs can log to postlogd(8) if they
are run by the super-user, or if their executable file has set-gid
- permission. Do not set this permission on programs other than postdrop(1)
- and postqueue(1).
+ permission. Do not set this permission on programs other than postdrop(1),
+ postqueue(1), and (Postfix >= 3.7) postlog(1).
B\bBu\bui\bil\bld\bdi\bin\bng\bg M\bMi\bil\blt\bte\ber\br a\bap\bpp\bpl\bli\bic\bca\bat\bti\bio\bon\bns\bs
-Milter applications have been written in C, JAVA and Perl, but this document
-deals with C applications only. For these, you need an object library that
-implements the Sendmail 8 Milter protocol. Postfix currently does not provide
-such a library, but Sendmail does.
+Milter applications have been written in C, Haskell, Java, Perl, Python, Rust,
+and more, but this document covers C applications only. For these, you need an
+object library that implements the Sendmail 8 Milter protocol. Postfix
+currently does not provide such a library, but Sendmail does.
Some systems install the Sendmail libmilter library by default. With other
systems, libmilter may be provided by a package (called "sendmail-devel" on
You specify SMTP-only Milter applications (there can be more than one) with the
smtpd_milters parameter. Each Milter application is identified by the name of
its listening socket; other Milter configuration options will be discussed in
-later sections. Milter applications are applied in the order as specified, and
-the first Milter application that rejects a command will override the responses
-from other Milter applications.
+later sections. Postfix sends commands to each Milter application in the order
+as configured with smtpd_milters. When a Milter application rejects a command,
+that will override responses from other Milter applications.
/etc/postfix/main.cf:
# Milters for mail that arrives via the smtpd(8) server.
You specify non-SMTP Milter applications with the non_smtpd_milters parameter.
This parameter uses the same syntax as the smtpd_milters parameter in the
previous section. As with the SMTP-only filters, you can specify more than one
-Milter application; they are applied in the order as specified, and the first
-Milter application that rejects a command will override the responses from the
-other applications.
+Milter application. Postfix sends commands to each Milter application in the
+order as configured with non_smtpd_milters. When a Milter application rejects a
+command, that will override responses from other Milter applications.
/etc/postfix/main.cf:
# Milters for non-SMTP mail.
W\bWh\bha\bat\bt m\bma\bac\bcr\bro\bos\bs w\bwi\bil\bll\bl P\bPo\bos\bst\btf\bfi\bix\bx s\bse\ben\bnd\bd t\bto\bo M\bMi\bil\blt\bte\ber\brs\bs?\b?
Postfix sends specific sets of macros at different Milter protocol stages. The
-sets are configured with the parameters as shown in the table below (EOH = end
-of headers; EOM = end of message). The protocol version is a number that
-Postfix sends at the beginning of the Milter protocol handshake.
+names of these macros are configured with the parameters shown in the table
+below (EOH = end of headers; EOM = end of message). Some lists require a
+minimum Milter protocol version.
As of Sendmail 8.14.0, Milter applications can specify what macros they want to
receive at different Milter protocol stages. An application-specified list
The solution is to use Postfix version 2.4 or later.
- * Most Milter configuration options are global. Future Postfix versions may
- support per-Milter timeouts, per-Milter error handling, etc.
+ * Postfix versions before 3.0 did not support per-Milter timeouts, per-Milter
+ error handling, etc.
<ul>
-<li> <p> The list of domains that are a member of the class: for
-example, all <a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a>, or all <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a>. </p>
+<li> <p> The list of domains that are a member of that address
+
class: for example, all <a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a>, or all <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a>. </p>
-<li> <p> The default delivery transport. For example, the local,
+<li> <p> The default delivery transport for that address class. For
+example, the local,
virtual or relay delivery transport (delivery transports are defined
in <a href="master.5.html">master.cf</a>). This helps to keep Postfix configurations simple,
by avoiding the need for explicit routing information in transport
<li> <p> Purpose: final delivery for traditional UNIX system accounts
and traditional Sendmail-style aliases. This is typically used for
-the <a href="VIRTUAL_README.html#canonical">canonical domains</a> of the machine. For a discussion of the
+the <a href="VIRTUAL_README.html#canonical">canonical domains</a> of the machine (for example, $<a href="postconf.5.html#myhostname">myhostname</a>,
+$<a href="postconf.5.html#mydomain">mydomain</a>). For a discussion of the
difference between <a href="VIRTUAL_README.html#canonical">canonical domains</a>, <a href="VIRTUAL_README.html#canonical">hosted domains</a> and other
domains, see the <a href="VIRTUAL_README.html">VIRTUAL_README</a> file. </p>
<ul>
<li> <p> Purpose: <a href="VIRTUAL_README.html#canonical">hosted domains</a> where each recipient address is
-aliased to a local UNIX system account or to a remote address. A
+aliased to an address in a different domain, for example, a local
+UNIX system account or a remote address. A
<a href="VIRTUAL_README.html#virtual_alias">virtual alias example</a> is given in the <a href="VIRTUAL_README.html">VIRTUAL_README</a> file. </p>
<li> <p> Domain names are listed in <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>. The
$<a href="postconf.5.html#virtual_maps">virtual_maps</a> for Postfix 1.1 compatibility. </p>
<li> <p> There is no mail delivery transport parameter. Every
-address must be aliased to some other address. </p>
+address must be aliased to an address in some other domain. </p>
</ul>
mail) out of the mail queue. This is controlled by the
<a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> configuration parameter. </p>
-<li> <p> As of Postfix version 2.1, the SMTP server also rejects
+<li> <p> As of Postfix version 2.1, the SMTP server can also reject
unknown sender addresses (i.e. addresses that it would reject as
-unknown recipient addresses). Sender "egress filtering" can help
+an unknown recipient addresses). Sender "egress filtering" can help
to slow down an email worm explosion. This is controlled by the
<a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> configuration parameter. </p>
operation of some of these programs). These programs can log to
<a href="postlogd.8.html">postlogd(8)</a> if they are run by the super-user, or if their executable
file has set-gid permission. Do not set this permission on programs
-other than <a href="postdrop.1.html">postdrop(1)</a> and <a href="postqueue.1.html">postqueue(1)</a>.
+other than <a href="postdrop.1.html">postdrop(1)</a>, <a href="postqueue.1.html">postqueue(1)</a>, and (Postfix ≥ 3.7)
+<a href="postlog.1.html">postlog(1)</a>.
</ul>
<h2><a name="building">Building Milter applications</a></h2>
-<p> Milter applications have been written in C, JAVA and Perl, but
-this document deals with C applications only. For these, you need
+<p> Milter applications have been written in C, Haskell, Java, Perl,
+Python, Rust, and more, but
+this document covers C applications only. For these, you need
an object library that implements the Sendmail 8 Milter protocol.
Postfix currently does not provide such a library, but Sendmail
does. </p>
<p> You specify SMTP-only Milter applications (there can be more
than one) with the <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> parameter. Each Milter application
is identified by the name of its listening socket; other Milter
-configuration options will be discussed in later sections. Milter
-applications are applied in the order as specified, and the first
-Milter application that rejects a command will override the responses
-from other Milter applications. </p>
+configuration options will be discussed in later sections. Postfix
+sends commands to each Milter application in the order as configured
+with <a href="postconf.5.html#smtpd_milters">smtpd_milters</a>. When a Milter application rejects a command,
+that will override responses from other Milter applications. </p>
<blockquote>
<pre>
<p> You specify non-SMTP Milter applications with the <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>
parameter. This parameter uses the same syntax as the <a href="postconf.5.html#smtpd_milters">smtpd_milters</a>
parameter in the previous section. As with the SMTP-only filters,
-you can specify more than one Milter application; they are applied
-in the order as specified, and the first Milter application that
-rejects a command will override the responses from the other
-applications. </p>
+you can specify more than one Milter application. Postfix sends
+commands to each Milter application in the order as configured with
+<a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>. When a Milter application rejects a command,
+that will override responses from other Milter applications. </p>
<blockquote>
<pre>
<h3><a name="send-macros">What macros will Postfix send to Milters?</a></h3>
<p> Postfix sends specific sets of macros at different Milter protocol
-stages. The sets are configured with the parameters as shown in the
-table below (EOH = end of headers; EOM = end of message). The
-protocol version is a number that Postfix sends at the beginning
-of the Milter protocol handshake. </p>
+stages. The names of these macros are configured with the parameters
+shown in the table below (EOH = end of headers; EOM = end of message).
+Some lists require a minimum Milter protocol version. </p>
<p> As of Sendmail 8.14.0, Milter applications can specify what
macros they want to receive at different Milter protocol stages.
<p> The solution is to use Postfix version 2.4 or later. </p>
-<li> <p> Most Milter configuration options are global. Future Postfix
-versions may support per-Milter timeouts, per-Milter error handling,
-etc. </p>
+<li> <p> Postfix versions before 3.0 did not support per-Milter
+timeouts, per-Milter error handling, etc. </p>
</ul>
from filling up with undeliverable MAILER-DAEMON messages.
</p>
-<p> An address is considered "unknown" when it does not match a
-<a href="virtual.5.html">virtual(5)</a> alias or a <a href="canonical.5.html">canonical(5)</a> mapping, and one of the following
-conditions holds: </p>
-
-<ul>
-
-<li> The recipient domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
-or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, but the recipient is not listed in
-$<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, and $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> is not null.
-
-<li> The recipient domain matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> but the
-recipient is not listed in $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>.
-
-<li> The recipient domain matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> but the
-recipient is not listed in $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>
-is not null.
-
-<li> The recipient domain matches $<a href="postconf.5.html#relay_domains">relay_domains</a> but the recipient
-is not listed in $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a>, and $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a>
-is not null.
-
-</ul>
+<p> An address is considered "unknown" when 1) it does not match a
+<a href="virtual.5.html">virtual(5)</a> alias or <a href="canonical.5.html">canonical(5)</a> mapping, and 2) the address is not
+valid for its address class. For a definition of class-based address
+validation, see <a href="ADDRESS_CLASS_README.html#classes">
+ADDRESS_CLASS_README</a>. </p>
<p>
This feature is available in Postfix 2.1 and later.
<p> Request that the Postfix SMTP server rejects mail from unknown
sender addresses, even when no explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a>
access restriction is specified. This can slow down an explosion
-of forged mail from worms or viruses. </p>
-
-<p> An address is considered "unknown" when it does not match a
-<a href="virtual.5.html">virtual(5)</a> alias or a <a href="canonical.5.html">canonical(5)</a> mapping, and one of the following
-conditions holds: </p>
-
-<ul>
-
-<li> The sender domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
-$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, but the sender is not listed in
-$<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, and $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> is not null.
+of forged mail from worms or viruses. </p>
-<li> The sender domain matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> but the sender
-is not listed in $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>.
-
-<li> The sender domain matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> but the
-sender is not listed in $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>
-is not null.
-
-<li> The sender domain matches $<a href="postconf.5.html#relay_domains">relay_domains</a> but the sender is
-not listed in $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a>, and $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> is
-not null.
-
-</ul>
+<p> An address is considered "unknown" when 1) it does not match a
+<a href="virtual.5.html">virtual(5)</a> alias or <a href="canonical.5.html">canonical(5)</a> mapping, and 2) the address is not
+valid for its address class. For a definition of class-based address
+validation, see <a href="ADDRESS_CLASS_README.html#classes">
+ADDRESS_CLASS_README</a>. </p>
<p>
This feature is available in Postfix 2.1 and later.
<dt><b><a name="reject_authenticated_sender_login_mismatch">reject_authenticated_sender_login_mismatch</a></b></dt>
-<dd>Enforces the <a href="postconf.5.html#reject_sender_login_mismatch">reject_sender_login_mismatch</a> restriction for
-authenticated clients only. This feature is available in
-Postfix version 2.1 and later. </dd>
+<dd> Reject the request when the client is authenticated with SASL,
+but either the MAIL FROM address is not listed in $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>,
+or the SASL login name is not an owner for that address.
+<br>
+This prevents an authenticated client from using a MAIL FROM address
+that they do not explicitly own.
+<br>
+This feature is available in Postfix version 2.1 and later. </dd>
<dt><b><a name="reject_known_sender_login_mismatch">reject_known_sender_login_mismatch</a></b></dt>
-<dd>Apply the <a href="postconf.5.html#reject_sender_login_mismatch">reject_sender_login_mismatch</a> restriction only to MAIL
-FROM addresses that are known in $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>. This
-feature is available in Postfix version 2.11 and later. </dd>
+<dd> When the client is authenticated with SASL, reject the request
+when the MAIL FROM address is listed in $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>,
+but the SASL login name is not an owner for that address.
+<br>
+When the client is not authenticated with SASL, reject the request
+when SASL is enabled, and the MAIL FROM address is listed in
+$<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>.
+<br>
+This protects any MAIL FROM address that is listed in
+$<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>, while still allowing a client to use any
+unlisted MAIL FROM address.
+<br>
+This feature is available in Postfix version 2.11 and later.</dd>
<dt><b><a name="reject_non_fqdn_sender">reject_non_fqdn_sender</a></b></dt>
<dt><b><a name="reject_sender_login_mismatch">reject_sender_login_mismatch</a></b></dt>
-<dd>Reject the request when $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a> specifies an
-owner for the MAIL FROM address, but the client is not (SASL) logged
-in as that MAIL FROM address owner; or when the client is (SASL)
-logged in, but the client login name doesn't own the MAIL FROM
-address according to $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>.</dd>
+<dd> As of Postfix 2.1, this is an alias for
+"<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">reject_authenticated_sender_login_mismatch</a>,
+<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">reject_unauthenticated_sender_login_mismatch</a>".</dd>
<dt><b><a name="reject_unauthenticated_sender_login_mismatch">reject_unauthenticated_sender_login_mismatch</a></b></dt>
-<dd>Enforces the <a href="postconf.5.html#reject_sender_login_mismatch">reject_sender_login_mismatch</a> restriction for
-unauthenticated clients only. This feature is available in
-Postfix version 2.1 and later. </dd>
+<dd> Reject the request when SASL is enabled, the MAIL FROM address
+is listed in $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>, but the client is not
+authenticated with SASL.
+<br>
+With SASL enabled, this prevents an unauthenticated client from
+using any MAIL FROM address that is listed in $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>.
+<br>
+This feature is available in Postfix version 2.1 and later.</dd>
<dt><b><a name="reject_unknown_sender_domain">reject_unknown_sender_domain</a></b></dt>
access restriction is specified. This prevents the Postfix queue
from filling up with undeliverable MAILER\-DAEMON messages.
.PP
-An address is considered "unknown" when it does not match a
-\fBvirtual\fR(5) alias or a \fBcanonical\fR(5) mapping, and one of the following
-conditions holds:
-.IP \(bu
-The recipient domain matches $mydestination, $inet_interfaces
-or $proxy_interfaces, but the recipient is not listed in
-$local_recipient_maps, and $local_recipient_maps is not null.
-.IP \(bu
-The recipient domain matches $virtual_alias_domains but the
-recipient is not listed in $virtual_alias_maps.
-.IP \(bu
-The recipient domain matches $virtual_mailbox_domains but the
-recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps
-is not null.
-.IP \(bu
-The recipient domain matches $relay_domains but the recipient
-is not listed in $relay_recipient_maps, and $relay_recipient_maps
-is not null.
-.br
+An address is considered "unknown" when 1) it does not match a
+\fBvirtual\fR(5) alias or \fBcanonical\fR(5) mapping, and 2) the address is not
+valid for its address class. For a definition of class\-based address
+validation, see
+ADDRESS_CLASS_README.
.PP
This feature is available in Postfix 2.1 and later.
.SH smtpd_reject_unlisted_sender (default: no)
access restriction is specified. This can slow down an explosion
of forged mail from worms or viruses.
.PP
-An address is considered "unknown" when it does not match a
-\fBvirtual\fR(5) alias or a \fBcanonical\fR(5) mapping, and one of the following
-conditions holds:
-.IP \(bu
-The sender domain matches $mydestination, $inet_interfaces or
-$proxy_interfaces, but the sender is not listed in
-$local_recipient_maps, and $local_recipient_maps is not null.
-.IP \(bu
-The sender domain matches $virtual_alias_domains but the sender
-is not listed in $virtual_alias_maps.
-.IP \(bu
-The sender domain matches $virtual_mailbox_domains but the
-sender is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps
-is not null.
-.IP \(bu
-The sender domain matches $relay_domains but the sender is
-not listed in $relay_recipient_maps, and $relay_recipient_maps is
-not null.
-.br
+An address is considered "unknown" when 1) it does not match a
+\fBvirtual\fR(5) alias or \fBcanonical\fR(5) mapping, and 2) the address is not
+valid for its address class. For a definition of class\-based address
+validation, see
+ADDRESS_CLASS_README.
.PP
This feature is available in Postfix 2.1 and later.
.SH smtpd_relay_before_recipient_restrictions (default: see "postconf \-d" output)
feature is available in Postfix 2.1 and later.
.br
.IP "\fBreject_authenticated_sender_login_mismatch\fR"
-Enforces the reject_sender_login_mismatch restriction for
-authenticated clients only. This feature is available in
-Postfix version 2.1 and later.
+Reject the request when the client is authenticated with SASL,
+but either the MAIL FROM address is not listed in $smtpd_sender_login_maps,
+or the SASL login name is not an owner for that address.
+.br
+This prevents an authenticated client from using a MAIL FROM address
+that they do not explicitly own.
+.br
+This feature is available in Postfix version 2.1 and later.
.br
.IP "\fBreject_known_sender_login_mismatch\fR"
-Apply the reject_sender_login_mismatch restriction only to MAIL
-FROM addresses that are known in $smtpd_sender_login_maps. This
-feature is available in Postfix version 2.11 and later.
+When the client is authenticated with SASL, reject the request
+when the MAIL FROM address is listed in $smtpd_sender_login_maps,
+but the SASL login name is not an owner for that address.
+.br
+When the client is not authenticated with SASL, reject the request
+when SASL is enabled, and the MAIL FROM address is listed in
+$smtpd_sender_login_maps.
+.br
+This protects any MAIL FROM address that is listed in
+$smtpd_sender_login_maps, while still allowing a client to use any
+unlisted MAIL FROM address.
+.br
+This feature is available in Postfix version 2.11 and later.
.br
.IP "\fBreject_non_fqdn_sender\fR"
Reject the request when the MAIL FROM address specifies a
This feature is available in Postfix 2.0 and later.
.br
.IP "\fBreject_sender_login_mismatch\fR"
-Reject the request when $smtpd_sender_login_maps specifies an
-owner for the MAIL FROM address, but the client is not (SASL) logged
-in as that MAIL FROM address owner; or when the client is (SASL)
-logged in, but the client login name doesn't own the MAIL FROM
-address according to $smtpd_sender_login_maps.
+As of Postfix 2.1, this is an alias for
+"reject_authenticated_sender_login_mismatch,
+reject_unauthenticated_sender_login_mismatch".
.br
.IP "\fBreject_unauthenticated_sender_login_mismatch\fR"
-Enforces the reject_sender_login_mismatch restriction for
-unauthenticated clients only. This feature is available in
-Postfix version 2.1 and later.
+Reject the request when SASL is enabled, the MAIL FROM address
+is listed in $smtpd_sender_login_maps, but the client is not
+authenticated with SASL.
+.br
+With SASL enabled, this prevents an unauthenticated client from
+using any MAIL FROM address that is listed in $smtpd_sender_login_maps.
+.br
+This feature is available in Postfix version 2.1 and later.
.br
.IP "\fBreject_unknown_sender_domain\fR"
Reject the request when Postfix is not the final destination for
<ul>
-<li> <p> The list of domains that are a member of the class: for
-example, all local domains, or all relay domains. </p>
+<li> <p> The list of domains that are a member of that address
+class: for example, all local domains, or all relay domains. </p>
-<li> <p> The default delivery transport. For example, the local,
+<li> <p> The default delivery transport for that address class. For
+example, the local,
virtual or relay delivery transport (delivery transports are defined
in master.cf). This helps to keep Postfix configurations simple,
by avoiding the need for explicit routing information in transport
<li> <p> Purpose: final delivery for traditional UNIX system accounts
and traditional Sendmail-style aliases. This is typically used for
-the canonical domains of the machine. For a discussion of the
+the canonical domains of the machine (for example, $myhostname,
+$mydomain). For a discussion of the
difference between canonical domains, hosted domains and other
domains, see the VIRTUAL_README file. </p>
<ul>
<li> <p> Purpose: hosted domains where each recipient address is
-aliased to a local UNIX system account or to a remote address. A
+aliased to an address in a different domain, for example, a local
+UNIX system account or a remote address. A
virtual alias example is given in the VIRTUAL_README file. </p>
<li> <p> Domain names are listed in virtual_alias_domains. The
$virtual_maps for Postfix 1.1 compatibility. </p>
<li> <p> There is no mail delivery transport parameter. Every
-address must be aliased to some other address. </p>
+address must be aliased to an address in some other domain. </p>
</ul>
mail) out of the mail queue. This is controlled by the
smtpd_reject_unlisted_recipient configuration parameter. </p>
-<li> <p> As of Postfix version 2.1, the SMTP server also rejects
+<li> <p> As of Postfix version 2.1, the SMTP server can also reject
unknown sender addresses (i.e. addresses that it would reject as
-unknown recipient addresses). Sender "egress filtering" can help
+an unknown recipient addresses). Sender "egress filtering" can help
to slow down an email worm explosion. This is controlled by the
smtpd_reject_unlisted_sender configuration parameter. </p>
operation of some of these programs). These programs can log to
postlogd(8) if they are run by the super-user, or if their executable
file has set-gid permission. Do not set this permission on programs
-other than postdrop(1) and postqueue(1).
+other than postdrop(1), postqueue(1), and (Postfix ≥ 3.7)
+postlog(1).
</ul>
<h2><a name="building">Building Milter applications</a></h2>
-<p> Milter applications have been written in C, JAVA and Perl, but
-this document deals with C applications only. For these, you need
+<p> Milter applications have been written in C, Haskell, Java, Perl,
+Python, Rust, and more, but
+this document covers C applications only. For these, you need
an object library that implements the Sendmail 8 Milter protocol.
Postfix currently does not provide such a library, but Sendmail
does. </p>
<p> You specify SMTP-only Milter applications (there can be more
than one) with the smtpd_milters parameter. Each Milter application
is identified by the name of its listening socket; other Milter
-configuration options will be discussed in later sections. Milter
-applications are applied in the order as specified, and the first
-Milter application that rejects a command will override the responses
-from other Milter applications. </p>
+configuration options will be discussed in later sections. Postfix
+sends commands to each Milter application in the order as configured
+with smtpd_milters. When a Milter application rejects a command,
+that will override responses from other Milter applications. </p>
<blockquote>
<pre>
<p> You specify non-SMTP Milter applications with the non_smtpd_milters
parameter. This parameter uses the same syntax as the smtpd_milters
parameter in the previous section. As with the SMTP-only filters,
-you can specify more than one Milter application; they are applied
-in the order as specified, and the first Milter application that
-rejects a command will override the responses from the other
-applications. </p>
+you can specify more than one Milter application. Postfix sends
+commands to each Milter application in the order as configured with
+non_smtpd_milters. When a Milter application rejects a command,
+that will override responses from other Milter applications. </p>
<blockquote>
<pre>
<h3><a name="send-macros">What macros will Postfix send to Milters?</a></h3>
<p> Postfix sends specific sets of macros at different Milter protocol
-stages. The sets are configured with the parameters as shown in the
-table below (EOH = end of headers; EOM = end of message). The
-protocol version is a number that Postfix sends at the beginning
-of the Milter protocol handshake. </p>
+stages. The names of these macros are configured with the parameters
+shown in the table below (EOH = end of headers; EOM = end of message).
+Some lists require a minimum Milter protocol version. </p>
<p> As of Sendmail 8.14.0, Milter applications can specify what
macros they want to receive at different Milter protocol stages.
<p> The solution is to use Postfix version 2.4 or later. </p>
-<li> <p> Most Milter configuration options are global. Future Postfix
-versions may support per-Milter timeouts, per-Milter error handling,
-etc. </p>
+<li> <p> Postfix versions before 3.0 did not support per-Milter
+timeouts, per-Milter error handling, etc. </p>
</ul>
<dt><b><a name="reject_authenticated_sender_login_mismatch">reject_authenticated_sender_login_mismatch</a></b></dt>
-<dd>Enforces the reject_sender_login_mismatch restriction for
-authenticated clients only. This feature is available in
-Postfix version 2.1 and later. </dd>
+<dd> Reject the request when the client is authenticated with SASL,
+but either the MAIL FROM address is not listed in $smtpd_sender_login_maps,
+or the SASL login name is not an owner for that address.
+<br>
+This prevents an authenticated client from using a MAIL FROM address
+that they do not explicitly own.
+<br>
+This feature is available in Postfix version 2.1 and later. </dd>
<dt><b><a name="reject_known_sender_login_mismatch">reject_known_sender_login_mismatch</a></b></dt>
-<dd>Apply the reject_sender_login_mismatch restriction only to MAIL
-FROM addresses that are known in $smtpd_sender_login_maps. This
-feature is available in Postfix version 2.11 and later. </dd>
+<dd> When the client is authenticated with SASL, reject the request
+when the MAIL FROM address is listed in $smtpd_sender_login_maps,
+but the SASL login name is not an owner for that address.
+<br>
+When the client is not authenticated with SASL, reject the request
+when SASL is enabled, and the MAIL FROM address is listed in
+$smtpd_sender_login_maps.
+<br>
+This protects any MAIL FROM address that is listed in
+$smtpd_sender_login_maps, while still allowing a client to use any
+unlisted MAIL FROM address.
+<br>
+This feature is available in Postfix version 2.11 and later.</dd>
<dt><b><a name="reject_non_fqdn_sender">reject_non_fqdn_sender</a></b></dt>
<dt><b><a name="reject_sender_login_mismatch">reject_sender_login_mismatch</a></b></dt>
-<dd>Reject the request when $smtpd_sender_login_maps specifies an
-owner for the MAIL FROM address, but the client is not (SASL) logged
-in as that MAIL FROM address owner; or when the client is (SASL)
-logged in, but the client login name doesn't own the MAIL FROM
-address according to $smtpd_sender_login_maps.</dd>
+<dd> As of Postfix 2.1, this is an alias for
+"reject_authenticated_sender_login_mismatch,
+reject_unauthenticated_sender_login_mismatch".</dd>
<dt><b><a name="reject_unauthenticated_sender_login_mismatch">reject_unauthenticated_sender_login_mismatch</a></b></dt>
-<dd>Enforces the reject_sender_login_mismatch restriction for
-unauthenticated clients only. This feature is available in
-Postfix version 2.1 and later. </dd>
+<dd> Reject the request when SASL is enabled, the MAIL FROM address
+is listed in $smtpd_sender_login_maps, but the client is not
+authenticated with SASL.
+<br>
+With SASL enabled, this prevents an unauthenticated client from
+using any MAIL FROM address that is listed in $smtpd_sender_login_maps.
+<br>
+This feature is available in Postfix version 2.1 and later.</dd>
<dt><b><a name="reject_unknown_sender_domain">reject_unknown_sender_domain</a></b></dt>
from filling up with undeliverable MAILER-DAEMON messages.
</p>
-<p> An address is considered "unknown" when it does not match a
-virtual(5) alias or a canonical(5) mapping, and one of the following
-conditions holds: </p>
-
-<ul>
-
-<li> The recipient domain matches $mydestination, $inet_interfaces
-or $proxy_interfaces, but the recipient is not listed in
-$local_recipient_maps, and $local_recipient_maps is not null.
-
-<li> The recipient domain matches $virtual_alias_domains but the
-recipient is not listed in $virtual_alias_maps.
-
-<li> The recipient domain matches $virtual_mailbox_domains but the
-recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps
-is not null.
-
-<li> The recipient domain matches $relay_domains but the recipient
-is not listed in $relay_recipient_maps, and $relay_recipient_maps
-is not null.
-
-</ul>
+<p> An address is considered "unknown" when 1) it does not match a
+virtual(5) alias or canonical(5) mapping, and 2) the address is not
+valid for its address class. For a definition of class-based address
+validation, see <a href="ADDRESS_CLASS_README.html#classes">
+ADDRESS_CLASS_README</a>. </p>
<p>
This feature is available in Postfix 2.1 and later.
<p> Request that the Postfix SMTP server rejects mail from unknown
sender addresses, even when no explicit reject_unlisted_sender
access restriction is specified. This can slow down an explosion
-of forged mail from worms or viruses. </p>
-
-<p> An address is considered "unknown" when it does not match a
-virtual(5) alias or a canonical(5) mapping, and one of the following
-conditions holds: </p>
-
-<ul>
+of forged mail from worms or viruses. </p>
-<li> The sender domain matches $mydestination, $inet_interfaces or
-$proxy_interfaces, but the sender is not listed in
-$local_recipient_maps, and $local_recipient_maps is not null.
-
-<li> The sender domain matches $virtual_alias_domains but the sender
-is not listed in $virtual_alias_maps.
-
-<li> The sender domain matches $virtual_mailbox_domains but the
-sender is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps
-is not null.
-
-<li> The sender domain matches $relay_domains but the sender is
-not listed in $relay_recipient_maps, and $relay_recipient_maps is
-not null.
-
-</ul>
+<p> An address is considered "unknown" when 1) it does not match a
+virtual(5) alias or canonical(5) mapping, and 2) the address is not
+valid for its address class. For a definition of class-based address
+validation, see <a href="ADDRESS_CLASS_README.html#classes">
+ADDRESS_CLASS_README</a>. </p>
<p>
This feature is available in Postfix 2.1 and later.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20220509"
+#define MAIL_RELEASE_DATE "20220527"
#define MAIL_VERSION_NUMBER "3.8"
#ifdef SNAPSHOT
#define SMFIC_OPTNEG 'O' /* Option negotiation */
#define SMFIC_QUIT 'Q' /* QUIT */
#define SMFIC_RCPT 'R' /* RCPT to */
+ /* Introduced with Sendmail 8.13. */
#define SMFIC_DATA 'T' /* DATA */
#define SMFIC_UNKNOWN 'U' /* Any unknown command */
/* Introduced with Sendmail 8.14. */
"SMFIC_OPTNEG", SMFIC_OPTNEG,
"SMFIC_QUIT", SMFIC_QUIT,
"SMFIC_RCPT", SMFIC_RCPT,
+ /* Introduced with Sendmail 8.13. */
"SMFIC_DATA", SMFIC_DATA,
"SMFIC_UNKNOWN", SMFIC_UNKNOWN,
/* Introduced with Sendmail 8.14. */
#define SMFIP_NOBODY (1L<<4) /* filter does not want body */
#define SMFIP_NOHDRS (1L<<5) /* filter does not want headers */
#define SMFIP_NOEOH (1L<<6) /* filter does not want EOH */
-#define SMFIP_NR_HDR (1L<<7) /* filter won't reply for header */
+ /* Introduced with Sendmail 8.13. */
#define SMFIP_NOHREPL SMFIP_NR_HDR
+ /* Introduced with Sendmail 8.14. */
+#define SMFIP_NR_HDR (1L<<7) /* filter won't reply for header */
#define SMFIP_NOUNKNOWN (1L<<8) /* filter does not want unknown cmd */
#define SMFIP_NODATA (1L<<9) /* filter does not want DATA */
- /* Introduced with Sendmail 8.14. */
#define SMFIP_SKIP (1L<<10)/* MTA supports SMFIR_SKIP */
#define SMFIP_RCPT_REJ (1L<<11)/* filter wants rejected RCPTs */
#define SMFIP_NR_CONN (1L<<12)/* filter won't reply for connect */
"SMFIP_NOBODY", SMFIP_NOBODY,
"SMFIP_NOHDRS", SMFIP_NOHDRS,
"SMFIP_NOEOH", SMFIP_NOEOH,
+ /* Introduced with Sendmail 8.14. */
"SMFIP_NR_HDR", SMFIP_NR_HDR,
"SMFIP_NOUNKNOWN", SMFIP_NOUNKNOWN,
"SMFIP_NODATA", SMFIP_NODATA,
- /* Introduced with Sendmail 8.14. */
"SMFIP_SKIP", SMFIP_SKIP,
"SMFIP_RCPT_REJ", SMFIP_RCPT_REJ,
"SMFIP_NR_CONN", SMFIP_NR_CONN,
#define SMFIF_ADDRCPT (1L<<2) /* filter may add recipients */
#define SMFIF_DELRCPT (1L<<3) /* filter may delete recipients */
#define SMFIF_CHGHDRS (1L<<4) /* filter may change/delete headers */
+ /* Introduced with Sendmail 8.13. */
#define SMFIF_QUARANTINE (1L<<5) /* filter may quarantine envelope */
/* Introduced with Sendmail 8.14. */
#define SMFIF_CHGFROM (1L<<6) /* filter may replace sender */
"SMFIF_ADDRCPT", SMFIF_ADDRCPT,
"SMFIF_DELRCPT", SMFIF_DELRCPT,
"SMFIF_CHGHDRS", SMFIF_CHGHDRS,
+ /* Introduced with Sendmail 8.13. */
"SMFIF_QUARANTINE", SMFIF_QUARANTINE,
/* Introduced with Sendmail 8.14. */
"SMFIF_CHGFROM", SMFIF_CHGFROM,
projects / thirdparty / postfix.git / commitdiff
