Portability: added a tls_random_source default setting for
MacOS X. Viktor Dukhovni. File: util/sys_defs.h.
+
+20150118
+
+ Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
+ security levels ranging from 0 to 5. Level "0" is backwards
+ compatible, and other levels are increasingly restrictive.
+ Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c.
+
+20161205
+
+ Portability: Postfix TLS support uses /dev/urandom if
+ available and no system-specific setting exists in sys_defs.h.
+ Files: makedefs, util/sys_defs.h.
-Postfix Installation From Source Code
-
--------------------------------------------------------------------------------
-
-1 - Purpose of this document
-
-If you are using a pre-compiled version of Postfix, you should start with
-BASIC_CONFIGURATION_README and the general documentation referenced by it.
-INSTALL is only a bootstrap document to get Postfix up and running from scratch
-with the minimal number of steps; it should not be considered part of the
-general documentation.
-
-This document describes how to build, install and configure a Postfix system so
-that it can do one of the following:
-
- * Send mail only, without changing an existing Sendmail installation.
- * Send and receive mail via a virtual host interface, still without any
- change to an existing Sendmail installation.
- * Run Postfix instead of Sendmail.
-
-Topics covered in this document:
-
- 1. Purpose of this document
- 2. Typographical conventions
- 3. Documentation
- 4. Building on a supported system
- 5. Porting Postfix to an unsupported system
- 6. Installing the software after successful compilation
- 7. Configuring Postfix to send mail only
- 8. Configuring Postfix to send and receive mail via virtual interface
- 9. Running Postfix instead of Sendmail
-10. Mandatory configuration file edits
-11. To chroot or not to chroot
-12. Care and feeding of the Postfix system
-
-2 - Typographical conventions
-
-In the instructions below, a command written as
-
- # command
-
-should be executed as the superuser.
-
-A command written as
-
- $ command
-
-should be executed as an unprivileged user.
-
-3 - Documentation
-
-Documentation is available as README files (start with the file README_FILES/
-AAAREADME), as HTML web pages (point your browser to "html/index.html") and as
-UNIX-style manual pages.
-
-You should view the README files with a pager such as more(1) or less(1),
-because the files use backspace characters in order to produce bold font. To
-print a README file without backspace characters, use the col(1) command. For
-example:
-
- $ col -bx <file | lpr
-
-In order to view the manual pages before installing Postfix, point your MANPATH
-environment variable to the "man" subdirectory; be sure to use an absolute
-path.
-
- $ export MANPATH; MANPATH="`pwd`/man:$MANPATH"
- $ setenv MANPATH "`pwd`/man:$MANPATH"
-
-Of particular interest is the postconf(5) manual page that lists all the 500+
-configuration parameters. The HTML version of this text makes it easy to
-navigate around.
-
-All Postfix source files have their own built-in manual page. Tools to extract
-those embedded manual pages are available in the mantools directory.
-
-4 - Building on a supported system
-
-Postfix development happens on FreeBSD and MacOS X, with regular tests on Linux
-(Fedora, Ubuntu) and Solaris. Support for other systems relies on feedback from
-their users, and may not always be up-to-date.
-
-OpenBSD is partially supported. The libc resolver does not implement the
-documented "internal resolver options which are [...] set by changing fields in
-the _res structure" (documented in the OpenBSD 5.6 resolver(3) manpage). This
-results in too many DNS queries, and false positives for queries that should
-fail.
-
-Overview of topics:
-
- * 4.1 - Getting started
- * 4.2 - What compiler to use
- * 4.3 - Building with Postfix position-independent executables (Postfix >=
- 3.0)
- * 4.4 - Building with Postfix dynamically-linked libraries and database
- plugins (Postfix >= 3.0)
- * 4.5 - Building with optional features
- * 4.6 - Overriding built-in parameter default settings
- * 4.7 - Overriding other compile-time features
- * 4.8 - Support for thousands of processes
- * 4.9 - Compiling Postfix, at last
-
-4.1 - Getting started
-
-On Solaris, the "make" command and other development utilities are in /usr/ccs/
-bin, so you MUST have /usr/ccs/bin in your command search path. If these files
-do not exist, you need to install the development packages first.
-
-If you need to build Postfix for multiple architectures from a single source-
-code tree, use the "lndir" command to build a shadow tree with symbolic links
-to the source files.
-
-If at any time in the build process you get messages like: "make: don't know
-how to ..." you should be able to recover by running the following command from
-the Postfix top-level directory:
-
- $ make -f Makefile.init makefiles
-
-If you copied the Postfix source code after building it on another machine, it
-is a good idea to cd into the top-level directory and first do this:
-
- $ make tidy
-
-This will get rid of any system dependencies left over from compiling the
-software elsewhere.
-
-4.2 - What compiler to use
-
-To build with GCC, or with the native compiler if people told me that is better
-for your system, just cd into the top-level Postfix directory of the source
-tree and type:
-
- $ make
-
-To build with a non-default compiler, you need to specify the name of the
-compiler. Here are a few examples:
-
- $ make makefiles CC=/opt/SUNWspro/bin/cc (Solaris)
- $ make
-
- $ make makefiles CC="/opt/ansic/bin/cc -Ae" (HP-UX)
- $ make
-
- $ make makefiles CC="purify cc"
- $ make
-
-and so on. In some cases, optimization will be turned off automatically.
-
-4.3 - Building with Postfix position-independent executables (Postfix >= 3.0)
-
-On some systems Postfix can be built with Position-Independent Executables. PIE
-is used by the ASLR exploit mitigation technique (ASLR = Address-Space Layout
-Randomization):
-
- $ make makefiles pie=yes ...other arguments...
-
-(Specify "make makefiles pie=no" to explicitly disable Postfix position-
-independent executable support).
-
-Postfix PIE support appears to work on Fedora Core 20, Ubuntu 14.04, FreeBSD 9
-and 10, and NetBSD 6 (all with the default system compilers).
-
-Whether the "pie=yes" above has any effect depends on the compiler. Some
-compilers always produce PIE executables, and some may even complain that the
-Postfix build option is redundant.
-
-4.4 - Building with Postfix dynamically-linked libraries and database plugins
-(Postfix >= 3.0)
-
-Postfix dynamically-linked library and database plugin support exists for
-recent versions of Linux, FreeBSD and MacOS X. Dynamically-linked library
-builds may become the default at some point in the future.
-
-Overview of topics:
-
- * 4.4.1 Turning on Postfix dynamically-linked library support
- * 4.4.2 Turning on Postfix database-plugin support
- * 4.4.3 Customizing Postfix dynamically-linked libraries and database plugins
- * 4.4.4 Tips for distribution maintainers
-
-Note: directories with Postfix dynamically-linked libraries or database plugins
-should contain only postfix-related files. Postfix dynamically-linked libraries
-and database plugins should not be installed in a "public" system directory
-such as /usr/lib or /usr/local/lib. Linking Postfix dynamically-linked library
-or database-plugin files into non-Postfix programs is not supported. Postfix
-dynamically-linked libraries and database plugins implement a Postfix-internal
-API that changes without maintaining compatibility.
-
-4.4.1 Turning on Postfix dynamically-linked library support
-
-Postfix can be built with Postfix dynamically-linked libraries (files typically
-named libpostfix-*.so). Postfix dynamically-linked libraries add minor run-time
-overhead and result in significantly-smaller Postfix executable files.
-
-Specify "shared=yes" on the "make makefiles" command line to build Postfix with
-dynamically-linked library support.
-
- $ make makefiles shared=yes ...other arguments...
- $ make
-
-(Specify "make makefiles shared=no" to explicitly disable Postfix dynamically-
-linked library support).
-
-This installs dynamically-linked libraries in $shlib_directory, typically /usr/
-lib/postfix or /usr/local/lib/postfix, with file names libpostfix-name.so,
-where the name is a source-code directory name such as "util" or "global".
-
-See section 4.4.3 "Customizing Postfix dynamically-linked libraries and
-database plugins" below for how to customize the Postfix dynamically-linked
-library location, including support to upgrade a running mail system safely.
-
-4.4.2 Turning on Postfix database-plugin support
-
-Additionally, Postfix can be built to support dynamic loading of Postfix
-database clients (database plugins) with the Debian-style dynamicmaps feature.
-Postfix 3.0 supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:,
-pgsql:, sdbm:, and sqlite: database clients. Dynamic loading is useful when you
-distribute or install pre-compiled Postfix packages.
-
-Specify "dynamicmaps=yes" on the "make makefiles" command line to build Postfix
-with support to dynamically load Postfix database clients with the Debian-style
-dynamicmaps feature.
-
- $ make makefiles dynamicmaps=yes ...other arguments...
- $ make
-
-(Specify "make makefiles dynamicmaps=no" to explicitly disable Postfix
-database-plugin support).
-
-This implicitly enables dynamically-linked library support, installs the
-configuration file dynamicmaps.cf in $meta_directory (usually, /etc/postfix or
-/usr/local/etc/postfix), and installs database plugins in $shlib_directory (see
-above). Database plugins are named postfix-type.so where the type is a database
-type such as "cdb" or "ldap".
-
- NOTE: The Postfix 3.0 build procedure expects that you specify database
- library dependencies with variables named AUXLIBS_CDB, AUXLIBS_LDAP, etc.
- With Postfix 3.0 and later, the old AUXLIBS variable still supports
- building a statically-loaded database client, but only the new AUXLIBS_CDB
- etc. variables support building a dynamically-loaded or statically-loaded
- CDB etc. database client. See CDB_README, LDAP_README, etc. for details.
-
- Failure to follow this advice will defeat the purpose of dynamic database
- client loading. Every Postfix executable file will have database library
- dependencies. And that was exactly what dynamic database client loading was
- meant to avoid.
-
-See the next section for how to customize the location and version of Postfix
-database plugins and the location of the file dynamicmaps.cf.
-
-4.4.3 Customizing Postfix dynamically-linked libraries and database plugins
-
-Customizing build-time and run-time options for Postfix dynamically-linked
-libraries and database plugins
-
-The build-time environment variables SHLIB_CFLAGS, SHLIB_RPATH, and
-SHLIB_SUFFIX provide control over how Postfix libraries and plugins are
-compiled, linked, and named.
-
- $ make makefiles SHLIB_CFLAGS=flags SHLIB_RPATH=rpath SHLIB_SUFFIX=suffix
- ...other arguments...
- $ make
-
-See section 4.7 "Overriding other compile-time features" below for details.
-
-Customizing the location of Postfix dynamically-linked libraries and database
-plugins
-
-As a reminder, the directories with Postfix dynamically-linked libraries or
-database plugins should contain only Postfix-related files. Linking these files
-into other programs is not supported.
-
-To override the default location of Postfix dynamically-linked libraries and
-database plugins specify, for example:
-
- $ make makefiles shared=yes shlib_directory=/usr/local/lib/postfix ...
-
-If you intend to upgrade Postfix without stopping the mail system, then you
-should append the Postfix release version to the shlib_directory pathname, to
-eliminate the possibility that programs will link with dynamically-linked
-libraries or database plugins from the wrong Postfix version. For example:
-
- $ make makefiles shared=yes \
- shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-The command "make makefiles name=value..." will replace the string MAIL_VERSION
-at the end of a configuration parameter value with the Postfix release version.
-Do not try to specify something like $mail_version on this command line. This
-produces inconsistent results with different versions of the make(1) command.
-
-You can change the shlib_directory setting after Postfix is built, with "make
-install" or "make upgrade". However, you may have to run ldconfig if you change
-shlib_directory after Postfix is built (the symptom is that Postfix programs
-fail because the run-time linker cannot find the files libpostfix-*.so). No
-ldconfig command is needed if you keep the files libpostfix-*.so in the
-compiled-in default $shlib_directory location.
-
- # make upgrade shlib_directory=/usr/local/lib/postfix ...
- # make install shlib_directory=/usr/local/lib/postfix ...
-
-To append the Postfix release version to the pathname if you intend to upgrade
-Postfix without stopping the mail system:
-
- # make upgrade shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
- # make install shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-See also the comments above for appending MAIL_VERSION with the "make
-makefiles" command.
-
-Customizing the location of dynamicmaps.cf and other files
-
-The meta_directory parameter has the same default setting as the
-config_directory parameter, typically /etc/postfix or /usr/local/etc/postfix.
-
-You can override the default meta_directory location at compile time or after
-Postfix is built. To override the default location at compile time specify, for
-example:
-
- % make makefiles meta_directory=/usr/libexec/postfix ...
-
-Here is a tip if you want to make a pathname dependent on the Postfix release
-version: the command "make makefiles name=value..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-You can override the meta_directory setting after Postfix is built, with "make
-install" or "make upgrade".
-
- # make upgrade meta_directory=/usr/libexec/postfix ...
- # make install meta_directory=/usr/libexec/postfix ...
-
-As with the command "make makefiles, the command "make install/upgrade
-name=value..." will replace the string MAIL_VERSION at the end of a
-configuration parameter value with the Postfix release version. Do not try to
-specify something like $mail_version on this command line. This produces
-inconsistent results with different versions of the make(1) command.
-
-4.4.4 Tips for distribution maintainers
-
- * The shlib_directory parameter setting also provides the default directory
- for database plugin files with a relative pathname in the file
- dynamicmaps.cf.
-
- * The meta_directory parameter specifies the location of the files
- dynamicmaps.cf, postfix-files, and some multi-instance template files. The
- meta_directory parameter has the same default value as the config_directory
- parameter (typically, /etc/postfix or /usr/local/etc/postfix). For
- backwards compatibility with Postfix 2.6 .. 2.11, specify "meta_directory =
- $daemon_directory" in main.cf before installing or upgrading Postfix, or
- specify "meta_directory = /path/name" on the "make makefiles", "make
- install" or "make upgrade" command line.
-
- * The configuration file dynamicmaps.cf will automatically include files
- under the directory dynamicmaps.cf.d, just like the configuration file
- postfix-files will automatically include files under the directory postfix-
- files.d. Thanks to this, you can install or deinstall a database plugin
- package without having to edit postfix-files or dynamicmaps.cf. Instead,
- you give that plugin its own configuration files dynamicmaps.cf.d and
- postfix-files.d, and you add or remove those configuration files along with
- the database plugin dynamically-linked object.
-
- * Each configuration file under the directory dynamicmaps.cf.d must have the
- same format as the configuration file dynamicmaps.cf. There is no
- requirement that these configuration file *names* have a specific format.
-
- * Each configuration file under the directory postfix-files.d must have the
- same format as the configuration file postfix-files. There is no
- requirement that these configuration file *names* have a specific format.
-
-4.5 - Building with optional features
-
-By default, Postfix builds as a mail system with relatively few bells and
-whistles. Support for third-party databases etc. must be configured when
-Postfix is compiled. The following documents describe how to build Postfix with
-support for optional features:
-
- _____________________________________________________________
- |Optional feature |Document |Availability|
- |__________________________________|_____________|____________|
- |Berkeley DB database |DB_README |Postfix 1.0 |
- |__________________________________|_____________|____________|
- |LMDB database |LMDB_README |Postfix 2.11|
- |__________________________________|_____________|____________|
- |LDAP database |LDAP_README |Postfix 1.0 |
- |__________________________________|_____________|____________|
- |MySQL database |MYSQL_README |Postfix 1.0 |
- |__________________________________|_____________|____________|
- |Perl compatible regular expression|PCRE_README |Postfix 1.0 |
- |__________________________________|_____________|____________|
- |PostgreSQL database |PGSQL_README |Postfix 2.0 |
- |__________________________________|_____________|____________|
- |SASL authentication |SASL_README |Postfix 1.0 |
- |__________________________________|_____________|____________|
- |SQLite database |SQLITE_README|Postfix 2.8 |
- |__________________________________|_____________|____________|
- |STARTTLS session encryption |TLS_README |Postfix 2.2 |
- |__________________________________|_____________|____________|
-
-Note: IP version 6 support is compiled into Postfix on operating systems that
-have IPv6 support. See the IPV6_README file for details.
-
-4.6 - Overriding built-in parameter default settings
-
-4.6.1 - Postfix 3.0 and later
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
- $ make makefiles config_directory=/some/where ...other arguments...
- $ make
-
-The command "make makefiles name=value ..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
- __________________________________________
- |parameter name |typical default |
- |_____________________|____________________|
- |command_directory |/usr/sbin |
- |_____________________|____________________|
- |config_directory |/etc/postfix |
- |_____________________|____________________|
- |default_database_type|hash |
- |_____________________|____________________|
- |daemon_directory |/usr/libexec/postfix|
- |_____________________|____________________|
- |data_directory |/var/lib/postfix |
- |_____________________|____________________|
- |html_directory |no |
- |_____________________|____________________|
- |mail_spool_directory |/var/mail |
- |_____________________|____________________|
- |mailq_path |/usr/bin/mailq |
- |_____________________|____________________|
- |manpage_directory |/usr/local/man |
- |_____________________|____________________|
- |meta_directory |/etc/postfix |
- |_____________________|____________________|
- |newaliases_path |/usr/bin/newaliases |
- |_____________________|____________________|
- |openssl_path |openssl |
- |_____________________|____________________|
- |queue_directory |/var/spool/postfix |
- |_____________________|____________________|
- |readme_directory |no |
- |_____________________|____________________|
- |sendmail_path |/usr/sbin/sendmail |
- |_____________________|____________________|
- |shlib_directory |/usr/lib/postfix |
- |_____________________|____________________|
-
-4.6.2 - All Postfix versions
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
- $ make makefiles CCARGS='-DDEF_CONFIG_DIR=\"/some/where\"'
- $ make
-
-IMPORTANT: Be sure to get the quotes right. These details matter a lot.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
- ____________________________________________________________
- |Macro name |default value for |typical default |
- |_________________|_____________________|____________________|
- |DEF_COMMAND_DIR |command_directory |/usr/sbin |
- |_________________|_____________________|____________________|
- |DEF_CONFIG_DIR |config_directory |/etc/postfix |
- |_________________|_____________________|____________________|
- |DEF_DB_TYPE |default_database_type|hash |
- |_________________|_____________________|____________________|
- |DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix|
- |_________________|_____________________|____________________|
- |DEF_DATA_DIR |data_directory |/var/lib/postfix |
- |_________________|_____________________|____________________|
- |DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq |
- |_________________|_____________________|____________________|
- |DEF_HTML_DIR |html_directory |no |
- |_________________|_____________________|____________________|
- |DEF_MANPAGE_DIR |manpage_directory |/usr/local/man |
- |_________________|_____________________|____________________|
- |DEF_NEWALIAS_PATH|newaliases_path |/usr/bin/newaliases |
- |_________________|_____________________|____________________|
- |DEF_QUEUE_DIR |queue_directory |/var/spool/postfix |
- |_________________|_____________________|____________________|
- |DEF_README_DIR |readme_directory |no |
- |_________________|_____________________|____________________|
- |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail |
- |_________________|_____________________|____________________|
-
-Note: the data_directory parameter (for caches and pseudo-random numbers) was
-introduced with Postfix version 2.5.
-
-4.7 - Overriding other compile-time features
-
-The general method to override Postfix compile-time features is as follows:
-
- $ make makefiles name=value name=value...
- $ make
-
-The following is an extensive list of names and values.
-
- _____________________________________________________________________________
-|Name/Value |Description |
-|______________________________|______________________________________________|
-| |Specifies one or more non-default object |
-| |libraries. Postfix 3.0 and later specify some |
-| |of their database library dependencies with |
-|AUXLIBS="object_library..." |AUXLIBS_CDB, AUXLIBS_LDAP, AUXLIBS_LMDB, |
-| |AUXLIBS_MYSQL, AUXLIBS_PCRE, AUXLIBS_PGSQL, |
-| |AUXLIBS_SDBM, and AUXLIBS_SQLITE, |
-| |respectively. |
-|______________________________|______________________________________________|
-|CC=compiler_command |Specifies a non-default compiler. On many |
-| |systems, the default is gcc. |
-|______________________________|______________________________________________|
-| |Specifies non-default compiler arguments, for |
-|CCARGS="compiler_arguments..."|example, a non-default include directory. The |
-| |following directives turn off Postfix features|
-| |at compile time: |
-|______________________________|______________________________________________|
-|| |Do not build with Berkeley DB support. By |
-|| |default, Berkeley DB support is compiled in on|
-||-DNO_DB |platforms that are known to support this |
-|| |feature. If you override this, then you |
-|| |probably should also override DEF_DB_TYPE as |
-|| |described in section 4.6. |
-||_____________________________|______________________________________________|
-||-DNO_DNSSEC |Do not build with DNSSEC support, even if the |
-|| |resolver library appears to support it. |
-||_____________________________|______________________________________________|
-|| |Do not build with Solaris /dev/poll support. |
-||-DNO_DEVPOLL |By default, /dev/poll support is compiled in |
-|| |on Solaris versions that are known to support |
-|| |this feature. |
-||_____________________________|______________________________________________|
-|| |Do not build with Linux EPOLL support. By |
-||-DNO_EPOLL |default, EPOLL support is compiled in on |
-|| |platforms that are known to support this |
-|| |feature. |
-||_____________________________|______________________________________________|
-|| |Do not build with EAI (SMTPUTF8) support. By |
-||-DNO_EAI |default, EAI support is compiled in when the |
-|| |"icuuc" library and header files are found. |
-||_____________________________|______________________________________________|
-|| |Do not require support for C99 "inline" |
-||-DNO_INLINE |functions. Instead, implement argument |
-|| |typechecks for non-printf/scanf-like functions|
-|| |with ternary operators and unreachable code. |
-||_____________________________|______________________________________________|
-|| |Do not build with IPv6 support. By default, |
-|| |IPv6 support is compiled in on platforms that |
-||-DNO_IPV6 |are known to have IPv6 support. Note: this |
-|| |directive is for debugging and testing only. |
-|| |It is not guaranteed to work on all platforms.|
-||_____________________________|______________________________________________|
-|| |Do not build with FreeBSD / NetBSD / OpenBSD /|
-||-DNO_KQUEUE |MacOSX KQUEUE support. By default, KQUEUE |
-|| |support is compiled in on platforms that are |
-|| |known to support it. |
-||_____________________________|______________________________________________|
-|| |Do not build with NIS or NISPLUS support. NIS |
-||-DNO_NIS |is not available on some recent Linux |
-|| |distributions. |
-||_____________________________|______________________________________________|
-|| |Do not build with NISPLUS support. NISPLUS is |
-||-DNO_NISPLUS |not available on some recent Solaris |
-|| |distributions. |
-||_____________________________|______________________________________________|
-|| |Do not build with PCRE support. By default, |
-||-DNO_PCRE |PCRE support is compiled in when the pcre- |
-|| |config utility is installed. |
-||_____________________________|______________________________________________|
-|| |Disable support for POSIX getpwnam_r/ |
-||-DNO_POSIX_GETPW_R |getpwuid_r. By default Postfix uses these |
-|| |where they are known to be available. |
-||_____________________________|______________________________________________|
-|| |Use setjmp()/longjmp() instead of sigsetjmp()/|
-||-DNO_SIGSETJMP |siglongjmp(). By default, Postfix uses |
-|| |sigsetjmp()/siglongjmp() when they are known |
-|| |to be available. |
-||_____________________________|______________________________________________|
-| |Specifies a non-default compiler debugging |
-|DEBUG=debug_level |level. The default is "-g". Specify DEBUG= to |
-| |turn off debugging. |
-|______________________________|______________________________________________|
-| |Specifies a non-default optimization level. |
-|OPT=optimization_level |The default is "-O". Specify OPT= to turn off |
-| |optimization. |
-|______________________________|______________________________________________|
-| |Specifies non-default compiler options for |
-|SHLIB_CFLAGS=flags |building Postfix dynamically-linked libraries |
-| |and database plugins. The typical default is |
-| |"-fPIC". |
-|______________________________|______________________________________________|
-| |Specifies a non-default runpath for Postfix |
-|SHLIB_RPATH=rpath |dynamically-linked libraries. The typical |
-| |default is "'-Wl,-rpath,${SHLIB_DIR}'". |
-|______________________________|______________________________________________|
-| |Specifies a non-default suffix for Postfix |
-|SHLIB_SUFFIX=suffix |dynamically-linked libraries and database |
-| |plugins. The typical default is ".so". |
-|______________________________|______________________________________________|
-| |Specifies non-default compiler warning options|
-|WARN="warning_flags..." |for use when "make" is invoked in a source |
-| |subdirectory only. |
-|______________________________|______________________________________________|
-
-4.8 - Support for thousands of processes
-
-The number of connections that Postfix can manage simultaneously is limited by
-the number of processes that it can run. This number in turn is limited by the
-number of files and sockets that a single process can open. For example, the
-Postfix queue manager has a separate connection to each delivery process, and
-the anvil(8) server has one connection per smtpd(8) process.
-
-Postfix version 2.4 and later have no built-in limits on the number of open
-files or sockets, when compiled on systems that support one of the following:
-
- * BSD kqueue(2) (FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9),
- * Solaris 8 /dev/poll,
- * Linux 2.6 epoll(4).
-
-With other Postfix versions or operating systems, the number of file
-descriptors per process is limited by the value of the FD_SETSIZE macro. If you
-expect to run more than 1000 mail delivery processes, you may need to override
-the definition of the FD_SETSIZE macro to make select() work correctly:
-
- $ make makefiles CCARGS=-DFD_SETSIZE=2048
-
-Warning: the above has no effect on some Linux versions. Apparently, on these
-systems the FD_SETSIZE value can be changed only by using undocumented
-interfaces. Currently, that means including <bits/types.h> directly (which is
-not allowed) and overriding the __FD_SETSIZE macro. Beware, undocumented
-interfaces can change at any time and without warning.
-
-But wait, there is more: none of this will work unless the operating system is
-configured to handle thousands of connections. See the TUNING_README guide for
-examples of how to increase the number of open sockets or files.
-
-4.9 - Compiling Postfix, at last
-
-If the command
-
- $ make
-
-is successful, then you can proceed to install Postfix (section 6).
-
-If the command produces compiler error messages, it may be time to search the
-web or to ask the postfix-users@postfix.org mailing list, but be sure to search
-the mailing list archives first. Some mailing list archives are linked from
-http://www.postfix.org/.
-
-5 - Porting Postfix to an unsupported system
-
-Each system type that Postfix knows is identified by a unique name. Examples:
-SUNOS5, FREEBSD4, and so on. When porting Postfix to a new system, the first
-step is to choose a SYSTEMTYPE name for the new system. You must use a name
-that includes at least the major version of the operating system (such as
-SUNOS4 or LINUX2), so that different releases of the same system can be
-supported without confusion.
-
-Add a case statement to the "makedefs" shell script in the source code top-
-level directory that recognizes the new system reliably, and that emits the
-right system-specific information. Be sure to make the code robust against user
-PATH settings; if the system offers multiple UNIX flavors (e.g. BSD and SYSV)
-be sure to build for the native flavor, instead of the emulated one.
-
-Add an "#ifdef SYSTEMTYPE" section to the central util/sys_defs.h include file.
-You may have to invent new feature macro names. Please choose sensible feature
-macro names such as HAS_DBM or FIONREAD_IN_SYS_FILIO_H.
-
-I strongly recommend against using "#ifdef SYSTEMTYPE" in individual source
-files. While this may look like the quickest solution, it will create a mess
-when newer versions of the same SYSTEMTYPE need to be supported. You're likely
-to end up placing "#ifdef" sections all over the source code again.
-
-6 - Installing the software after successful compilation
-
-This text describes how to install Postfix from source code. See the
-PACKAGE_README file if you are building a package for distribution to other
-systems.
-
-6.1 - Save existing Sendmail binaries
-
-IMPORTANT: if you are REPLACING an existing Sendmail installation with Postfix,
-you may need to keep the old sendmail program running for some time in order to
-flush the mail queue.
-
- * Some systems implement a mail switch mechanism where different MTAs
- (Postfix, Sendmail, etc.) can be installed at the same time, while only one
- of them is actually being used. Examples of such switching mechanisms are
- the FreeBSD mailwrapper(8) or the Linux mail switch. In this case you
- should try to "flip" the switch to "Postfix" before installing Postfix.
-
- * If your system has no mail switch mechanism, execute the following commands
- (your sendmail, newaliases and mailq programs may be in a different place):
-
- # mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
- # mv /usr/bin/newaliases /usr/bin/newaliases.OFF
- # mv /usr/bin/mailq /usr/bin/mailq.OFF
- # chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF \
- /usr/bin/mailq.OFF
-
-6.2 - Create account and groups
-
-Before you install Postfix for the first time you need to create an account and
-a group:
-
- * Create a user account "postfix" with a user id and group id that are not
- used by any other user account. Preferably, this is an account that no-one
- can log into. The account does not need an executable login shell, and
- needs no existing home directory. My password and group file entries look
- like this:
-
- /etc/passwd:
- postfix:*:12345:12345:postfix:/no/where:/no/shell
-
- /etc/group:
- postfix:*:12345:
-
- Note: there should be no whitespace before "postfix:".
-
- * Create a group "postdrop" with a group id that is not used by any other
- user account. Not even by the postfix user account. My group file entry
- looks like:
-
- /etc/group:
- postdrop:*:54321:
-
- Note: there should be no whitespace before "postdrop:".
-
-6.3 - Install Postfix
-
-To install or upgrade Postfix from compiled source code, run one of the
-following commands as the super-user:
-
- # make install (interactive version, first time install)
-
- # make upgrade (non-interactive version, for upgrades)
-
- * The interactive version ("make install") asks for pathnames for Postfix
- data and program files, and stores your preferences in the main.cf file. If
- you don't want Postfix to overwrite non-Postfix "sendmail", "mailq" and
- "newaliases" files, specify pathnames that end in ".postfix".
-
- * The non-interactive version ("make upgrade") needs the /etc/postfix/main.cf
- file from a previous installation. If the file does not exist, use
- interactive installation ("make install") instead.
-
- * If you specify name=value arguments on the "make install" or "make upgrade"
- command line, then these will take precedence over compiled-in default
- settings or main.cf settings.
-
- The command "make install/upgrade name=value ..." will replace the string
- MAIL_VERSION at the end of a configuration parameter value with the Postfix
- release version. Do not try to specify something like $mail_version on this
- command line. This produces inconsistent results with different versions of
- the make(1) command.
-
-6.4 - Configure Postfix
-
-Proceed to the section on how you wish to run Postfix on your particular
-machine:
-
- * Send mail only, without changing an existing Sendmail installation (section
- 7).
-
- * Send and receive mail via a virtual host interface, still without any
- change to an existing Sendmail installation (section 8).
-
- * Run Postfix instead of Sendmail (section 9).
-
-7 - Configuring Postfix to send mail only
-
-If you are going to use Postfix to send mail only, there is no need to change
-your existing sendmail setup. Instead, set up your mail user agent so that it
-calls the Postfix sendmail program directly.
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf, in order
-to avoid conflicts with the real sendmail. Put a "#" character in front of the
-line that defines the smtpd service:
-
- /etc/postfix/master.cf:
- #smtp inet n - n - - smtpd
-
-Start the Postfix system:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-8 - Configuring Postfix to send and receive mail via virtual interface
-
-Alternatively, you can use the Postfix system to send AND receive mail while
-leaving your Sendmail setup intact, by running Postfix on a virtual interface
-address. Simply configure your mail user agent to directly invoke the Postfix
-sendmail program.
-
-To create a virtual network interface address, study your system ifconfig
-manual page. The command syntax could be any of:
-
- # ifconfig le0:1 <address> netmask <mask> up
- # ifconfig en0 alias <address> netmask 255.255.255.255
-
-In the /etc/postfix/main.cf file, I would specify
-
- /etc/postfix/main.cf:
- myhostname = virtual.host.tld
- inet_interfaces = $myhostname
- mydestination = $myhostname
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-Start the Postfix system:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-9 - Running Postfix instead of Sendmail
-
-Prior to installing Postfix you should save any existing sendmail program files
-as described in section 6. Be sure to keep the old sendmail running for at
-least a couple days to flush any unsent mail. To do so, stop the sendmail
-daemon and restart it as:
-
- # /usr/sbin/sendmail.OFF -q
-
-Note: this is old sendmail syntax. Newer versions use separate processes for
-mail submission and for running the queue.
-
-After you have visited the "Mandatory configuration file edits" section below,
-you can start the Postfix system with:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-10 - Mandatory configuration file edits
-
-Note: the material covered in this section is covered in more detail in the
-BASIC_CONFIGURATION_README document. The information presented below is
-targeted at experienced system administrators.
-
-10.1 - Postfix configuration files
-
-By default, Postfix configuration files are in /etc/postfix. The two most
-important files are main.cf and master.cf; these files must be owned by root.
-Giving someone else write permission to main.cf or master.cf (or to their
-parent directories) means giving root privileges to that person.
-
-In /etc/postfix/main.cf, you will have to set up a minimal number of
-configuration parameters. Postfix configuration parameters resemble shell
-variables, with two important differences: the first one is that Postfix does
-not know about quotes like the UNIX shell does.
-
-You specify a configuration parameter as:
-
- /etc/postfix/main.cf:
- parameter = value
-
-and you use it by putting a "$" character in front of its name:
-
- /etc/postfix/main.cf:
- other_parameter = $parameter
-
-You can use $parameter before it is given a value (that is the second main
-difference with UNIX shell variables). The Postfix configuration language uses
-lazy evaluation, and does not look at a parameter value until it is needed at
-runtime.
-
-Whenever you make a change to the main.cf or master.cf file, execute the
-following command in order to refresh a running mail system:
-
- # postfix reload
-
-10.2 - Default domain for unqualified addresses
-
-First of all, you must specify what domain will be appended to an unqualified
-address (i.e. an address without @domain.tld). The "myorigin" parameter
-defaults to the local hostname, but that is probably OK only for very small
-sites.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- myorigin = $myhostname (send mail as "user@$myhostname")
- myorigin = $mydomain (send mail as "user@$mydomain")
-
-10.3 - What domains to receive locally
-
-Next you need to specify what mail addresses Postfix should deliver locally.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- mydestination = $myhostname, localhost.$mydomain, localhost
- mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
- mydestination = $myhostname
-
-The first example is appropriate for a workstation, the second is appropriate
-for the mailserver for an entire domain. The third example should be used when
-running on a virtual host interface.
-
-10.4 - Proxy/NAT interface addresses
-
-The proxy_interfaces parameter specifies all network addresses that Postfix
-receives mail on by way of a proxy or network address translation unit. You may
-specify symbolic hostnames instead of network addresses.
-
-IMPORTANT: You must specify your proxy/NAT external addresses when your system
-is a backup MX host for other domains, otherwise mail delivery loops will
-happen when the primary MX host is down.
-
-Example: host behind NAT box running a backup MX host.
-
- /etc/postfix/main.cf:
- proxy_interfaces = 1.2.3.4 (the proxy/NAT external network address)
-
-10.5 - What local clients to relay mail from
-
-If your machine is on an open network then you must specify what client IP
-addresses are authorized to relay their mail through your machine into the
-Internet. The default setting includes all subnetworks that the machine is
-attached to. This may give relay permission to too many clients. My own
-settings are:
-
- /etc/postfix/main.cf:
- mynetworks = 168.100.189.0/28, 127.0.0.0/8
-
-10.6 - What relay destinations to accept from strangers
-
-If your machine is on an open network then you must also specify whether
-Postfix will forward mail from strangers. The default setting will forward mail
-to all domains (and subdomains of) what is listed in $mydestination. This may
-give relay permission for too many destinations. Recommended settings (use only
-one):
-
- /etc/postfix/main.cf:
- relay_domains = (do not forward mail from strangers)
- relay_domains = $mydomain (my domain and subdomains)
- relay_domains = $mydomain, other.domain.tld, ...
-
-10.7 - Optional: configure a smart host for remote delivery
-
-If you're behind a firewall, you should set up a relayhost. If you can, specify
-the organizational domain name so that Postfix can use DNS lookups, and so that
-it can fall back to a secondary MX host when the primary MX host is down.
-Otherwise just specify a hard-coded hostname.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- relayhost = $mydomain
- relayhost = [mail.$mydomain]
-
-The form enclosed with [] eliminates DNS MX lookups.
-
-By default, the SMTP client will do DNS lookups even when you specify a relay
-host. If your machine has no access to a DNS server, turn off SMTP client DNS
-lookups like this:
-
- /etc/postfix/main.cf:
- disable_dns_lookups = yes
-
-The STANDARD_CONFIGURATION_README file has more hints and tips for firewalled
-and/or dial-up networks.
-
-10.8 - Create the aliases database
-
-Postfix uses a Sendmail-compatible aliases(5) table to redirect mail for local
-(8) recipients. Typically, this information is kept in two files: in a text
-file /etc/aliases and in an indexed file /etc/aliases.db. The command "postconf
-alias_maps" will tell you the exact location of the text file.
-
-First, be sure to update the text file with aliases for root, postmaster and
-"postfix" that forward mail to a real person. Postfix has a sample aliases file
-/etc/postfix/aliases that you can adapt to local conditions.
-
- /etc/aliases:
- root: you
- postmaster: root
- postfix: root
- bin: root
- etcetera...
-
-Note: there should be no whitespace before the ":".
-
-Finally, build the indexed aliases file with one of the following commands:
-
- # newaliases
- # sendmail -bi
-
-11 - To chroot or not to chroot
-
-Postfix daemon processes can be configured (via master.cf) to run in a chroot
-jail. The processes run at a fixed low privilege and with access only to the
-Postfix queue directories (/var/spool/postfix). This provides a significant
-barrier against intrusion. The barrier is not impenetrable, but every little
-bit helps.
-
-With the exception of Postfix daemons that deliver mail locally and/or that
-execute non-Postfix commands, every Postfix daemon can run chrooted.
-
-Sites with high security requirements should consider to chroot all daemons
-that talk to the network: the smtp(8) and smtpd(8) processes, and perhaps also
-the lmtp(8) client. The author's own porcupine.org mail server runs all daemons
-chrooted that can be chrooted.
-
-The default /etc/postfix/master.cf file specifies that no Postfix daemon runs
-chrooted. In order to enable chroot operation, edit the file /etc/postfix/
-master.cf. Instructions are in the file.
-
-Note that a chrooted daemon resolves all filenames relative to the Postfix
-queue directory (/var/spool/postfix). For successful use of a chroot jail, most
-UNIX systems require you to bring in some files or device nodes. The examples/
-chroot-setup directory in the source code distribution has a collection of
-scripts that help you set up Postfix chroot environments on different operating
-systems.
-
-Additionally, you almost certainly need to configure syslogd so that it listens
-on a socket inside the Postfix queue directory. Examples for specific systems:
-
-FreeBSD:
-
- # mkdir -p /var/spool/postfix/var/run
- # syslogd -l /var/spool/postfix/var/run/log
-
-Linux, OpenBSD:
-
- # mkdir -p /var/spool/postfix/dev
- # syslogd -a /var/spool/postfix/dev/log
-
-12 - Care and feeding of the Postfix system
-
-Postfix daemon processes run in the background, and log problems and normal
-activity to the syslog daemon. The names of logfiles are specified in /etc/
-syslog.conf. At the very least you need something like:
-
- /etc/syslog.conf:
- mail.err /dev/console
- mail.debug /var/log/maillog
-
-IMPORTANT: the syslogd will not create files. You must create them before
-(re)starting syslogd.
-
-IMPORTANT: on Linux you need to put a "-" character before the pathname, e.g.,
--/var/log/maillog, otherwise the syslogd will use more system resources than
-Postfix does.
-
-Hopefully, the number of problems will be small, but it is a good idea to run
-every night before the syslog files are rotated:
-
- # postfix check
- # egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
- * The first line (postfix check) causes Postfix to report file permission/
- ownership discrepancies.
-
- * The second line looks for problem reports from the mail software, and
- reports how effective the relay and junk mail access blocks are. This may
- produce a lot of output. You will want to apply some postprocessing to
- eliminate uninteresting information.
-
-The DEBUG_README document describes the meaning of the "warning" etc. labels in
-Postfix logging.
-P\bPo\bos\bst\btf\bfi\bix\bx I\bIn\bns\bst\bta\bal\bll\bla\bat\bti\bio\bon\bn F\bFr\bro\bom\bm S\bSo\bou\bur\brc\bce\be C\bCo\bod\bde\be
-
--------------------------------------------------------------------------------
-
-1\b1 -\b- P\bPu\bur\brp\bpo\bos\bse\be o\bof\bf t\bth\bhi\bis\bs d\bdo\boc\bcu\bum\bme\ben\bnt\bt
-
-If you are using a pre-compiled version of Postfix, you should start with
-BASIC_CONFIGURATION_README and the general documentation referenced by it.
-INSTALL is only a bootstrap document to get Postfix up and running from scratch
-with the minimal number of steps; it should not be considered part of the
-general documentation.
-
-This document describes how to build, install and configure a Postfix system so
-that it can do one of the following:
-
- * Send mail only, without changing an existing Sendmail installation.
- * Send and receive mail via a virtual host interface, still without any
- change to an existing Sendmail installation.
- * Run Postfix instead of Sendmail.
-
-Topics covered in this document:
-
- 1. Purpose of this document
- 2. Typographical conventions
- 3. Documentation
- 4. Building on a supported system
- 5. Porting Postfix to an unsupported system
- 6. Installing the software after successful compilation
- 7. Configuring Postfix to send mail only
- 8. Configuring Postfix to send and receive mail via virtual interface
- 9. Running Postfix instead of Sendmail
-10. Mandatory configuration file edits
-11. To chroot or not to chroot
-12. Care and feeding of the Postfix system
-
-2\b2 -\b- T\bTy\byp\bpo\bog\bgr\bra\bap\bph\bhi\bic\bca\bal\bl c\bco\bon\bnv\bve\ben\bnt\bti\bio\bon\bns\bs
-
-In the instructions below, a command written as
-
- # command
-
-should be executed as the superuser.
-
-A command written as
-
- $ command
-
-should be executed as an unprivileged user.
-
-3\b3 -\b- D\bDo\boc\bcu\bum\bme\ben\bnt\bta\bat\bti\bio\bon\bn
-
-Documentation is available as README files (start with the file README_FILES/
-AAAREADME), as HTML web pages (point your browser to "html/index.html") and as
-UNIX-style manual pages.
-
-You should view the README files with a pager such as more(1) or less(1),
-because the files use backspace characters in order to produce b\bbo\bol\bld\bd font. To
-print a README file without backspace characters, use the col(1) command. For
-example:
-
- $ col -bx <file | lpr
-
-In order to view the manual pages before installing Postfix, point your MANPATH
-environment variable to the "man" subdirectory; be sure to use an absolute
-path.
-
- $ export MANPATH; MANPATH="`pwd`/man:$MANPATH"
- $ setenv MANPATH "`pwd`/man:$MANPATH"
-
-Of particular interest is the postconf(5) manual page that lists all the 500+
-configuration parameters. The HTML version of this text makes it easy to
-navigate around.
-
-All Postfix source files have their own built-in manual page. Tools to extract
-those embedded manual pages are available in the mantools directory.
-
-4\b4 -\b- B\bBu\bui\bil\bld\bdi\bin\bng\bg o\bon\bn a\ba s\bsu\bup\bpp\bpo\bor\brt\bte\bed\bd s\bsy\bys\bst\bte\bem\bm
-
-Postfix development happens on FreeBSD and MacOS X, with regular tests on Linux
-(Fedora, Ubuntu) and Solaris. Support for other systems relies on feedback from
-their users, and may not always be up-to-date.
-
-OpenBSD is partially supported. The libc resolver does not implement the
-documented "internal resolver options which are [...] set by changing fields in
-the _res structure" (documented in the OpenBSD 5.6 resolver(3) manpage). This
-results in too many DNS queries, and false positives for queries that should
-fail.
-
-Overview of topics:
-
- * 4.1 - Getting started
- * 4.2 - What compiler to use
- * 4.3 - Building with Postfix position-independent executables (Postfix >=
- 3.0)
- * 4.4 - Building with Postfix dynamically-linked libraries and database
- plugins (Postfix >= 3.0)
- * 4.5 - Building with optional features
- * 4.6 - Overriding built-in parameter default settings
- * 4.7 - Overriding other compile-time features
- * 4.8 - Support for thousands of processes
- * 4.9 - Compiling Postfix, at last
-
-4\b4.\b.1\b1 -\b- G\bGe\bet\btt\bti\bin\bng\bg s\bst\bta\bar\brt\bte\bed\bd
-
-On Solaris, the "make" command and other development utilities are in /usr/ccs/
-bin, so you MUST have /usr/ccs/bin in your command search path. If these files
-do not exist, you need to install the development packages first.
-
-If you need to build Postfix for multiple architectures from a single source-
-code tree, use the "lndir" command to build a shadow tree with symbolic links
-to the source files.
-
-If at any time in the build process you get messages like: "make: don't know
-how to ..." you should be able to recover by running the following command from
-the Postfix top-level directory:
-
- $ make -f Makefile.init makefiles
-
-If you copied the Postfix source code after building it on another machine, it
-is a good idea to cd into the top-level directory and first do this:
-
- $ make tidy
-
-This will get rid of any system dependencies left over from compiling the
-software elsewhere.
-
-4\b4.\b.2\b2 -\b- W\bWh\bha\bat\bt c\bco\bom\bmp\bpi\bil\ble\ber\br t\bto\bo u\bus\bse\be
-
-To build with GCC, or with the native compiler if people told me that is better
-for your system, just cd into the top-level Postfix directory of the source
-tree and type:
-
- $ make
-
-To build with a non-default compiler, you need to specify the name of the
-compiler. Here are a few examples:
-
- $ make makefiles CC=/opt/SUNWspro/bin/cc (Solaris)
- $ make
-
- $ make makefiles CC="/opt/ansic/bin/cc -Ae" (HP-UX)
- $ make
-
- $ make makefiles CC="purify cc"
- $ make
-
-and so on. In some cases, optimization will be turned off automatically.
-
-4\b4.\b.3\b3 -\b- B\bBu\bui\bil\bld\bdi\bin\bng\bg w\bwi\bit\bth\bh P\bPo\bos\bst\btf\bfi\bix\bx p\bpo\bos\bsi\bit\bti\bio\bon\bn-\b-i\bin\bnd\bde\bep\bpe\ben\bnd\bde\ben\bnt\bt e\bex\bxe\bec\bcu\but\bta\bab\bbl\ble\bes\bs (\b(P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.0\b0)\b)
-
-On some systems Postfix can be built with Position-Independent Executables. PIE
-is used by the ASLR exploit mitigation technique (ASLR = Address-Space Layout
-Randomization):
-
- $ make makefiles pie=yes ...other arguments...
-
-(Specify "make makefiles pie=no" to explicitly disable Postfix position-
-independent executable support).
-
-Postfix PIE support appears to work on Fedora Core 20, Ubuntu 14.04, FreeBSD 9
-and 10, and NetBSD 6 (all with the default system compilers).
-
-Whether the "pie=yes" above has any effect depends on the compiler. Some
-compilers always produce PIE executables, and some may even complain that the
-Postfix build option is redundant.
-
-4\b4.\b.4\b4 -\b- B\bBu\bui\bil\bld\bdi\bin\bng\bg w\bwi\bit\bth\bh P\bPo\bos\bst\btf\bfi\bix\bx d\bdy\byn\bna\bam\bmi\bic\bca\bal\bll\bly\by-\b-l\bli\bin\bnk\bke\bed\bd l\bli\bib\bbr\bra\bar\bri\bie\bes\bs a\ban\bnd\bd d\bda\bat\bta\bab\bba\bas\bse\be p\bpl\blu\bug\bgi\bin\bns\bs
-(\b(P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.0\b0)\b)
-
-Postfix dynamically-linked library and database plugin support exists for
-recent versions of Linux, FreeBSD and MacOS X. Dynamically-linked library
-builds may become the default at some point in the future.
-
-Overview of topics:
-
- * 4.4.1 Turning on Postfix dynamically-linked library support
- * 4.4.2 Turning on Postfix database-plugin support
- * 4.4.3 Customizing Postfix dynamically-linked libraries and database plugins
- * 4.4.4 Tips for distribution maintainers
-
-Note: directories with Postfix dynamically-linked libraries or database plugins
-should contain only postfix-related files. Postfix dynamically-linked libraries
-and database plugins should not be installed in a "public" system directory
-such as /usr/lib or /usr/local/lib. Linking Postfix dynamically-linked library
-or database-plugin files into non-Postfix programs is not supported. Postfix
-dynamically-linked libraries and database plugins implement a Postfix-internal
-API that changes without maintaining compatibility.
-
-4\b4.\b.4\b4.\b.1\b1 T\bTu\bur\brn\bni\bin\bng\bg o\bon\bn P\bPo\bos\bst\btf\bfi\bix\bx d\bdy\byn\bna\bam\bmi\bic\bca\bal\bll\bly\by-\b-l\bli\bin\bnk\bke\bed\bd l\bli\bib\bbr\bra\bar\bry\by s\bsu\bup\bpp\bpo\bor\brt\bt
-
-Postfix can be built with Postfix dynamically-linked libraries (files typically
-named libpostfix-*.so). Postfix dynamically-linked libraries add minor run-time
-overhead and result in significantly-smaller Postfix executable files.
-
-Specify "shared=yes" on the "make makefiles" command line to build Postfix with
-dynamically-linked library support.
-
- $ make makefiles shared=yes ...other arguments...
- $ make
-
-(Specify "make makefiles shared=no" to explicitly disable Postfix dynamically-
-linked library support).
-
-This installs dynamically-linked libraries in $shlib_directory, typically /usr/
-lib/postfix or /usr/local/lib/postfix, with file names libpostfix-name.so,
-where the name is a source-code directory name such as "util" or "global".
-
-See section 4.4.3 "Customizing Postfix dynamically-linked libraries and
-database plugins" below for how to customize the Postfix dynamically-linked
-library location, including support to upgrade a running mail system safely.
-
-4\b4.\b.4\b4.\b.2\b2 T\bTu\bur\brn\bni\bin\bng\bg o\bon\bn P\bPo\bos\bst\btf\bfi\bix\bx d\bda\bat\bta\bab\bba\bas\bse\be-\b-p\bpl\blu\bug\bgi\bin\bn s\bsu\bup\bpp\bpo\bor\brt\bt
-
-Additionally, Postfix can be built to support dynamic loading of Postfix
-database clients (database plugins) with the Debian-style dynamicmaps feature.
-Postfix 3.0 supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:,
-pgsql:, sdbm:, and sqlite: database clients. Dynamic loading is useful when you
-distribute or install pre-compiled Postfix packages.
-
-Specify "dynamicmaps=yes" on the "make makefiles" command line to build Postfix
-with support to dynamically load Postfix database clients with the Debian-style
-dynamicmaps feature.
-
- $ make makefiles dynamicmaps=yes ...other arguments...
- $ make
-
-(Specify "make makefiles dynamicmaps=no" to explicitly disable Postfix
-database-plugin support).
-
-This implicitly enables dynamically-linked library support, installs the
-configuration file dynamicmaps.cf in $meta_directory (usually, /etc/postfix or
-/usr/local/etc/postfix), and installs database plugins in $shlib_directory (see
-above). Database plugins are named postfix-type.so where the type is a database
-type such as "cdb" or "ldap".
-
- NOTE: The Postfix 3.0 build procedure expects that you specify database
- library dependencies with variables named AUXLIBS_CDB, AUXLIBS_LDAP, etc.
- With Postfix 3.0 and later, the old AUXLIBS variable still supports
- building a statically-loaded database client, but only the new AUXLIBS_CDB
- etc. variables support building a dynamically-loaded or statically-loaded
- CDB etc. database client. See CDB_README, LDAP_README, etc. for details.
-
- Failure to follow this advice will defeat the purpose of dynamic database
- client loading. Every Postfix executable file will have database library
- dependencies. And that was exactly what dynamic database client loading was
- meant to avoid.
-
-See the next section for how to customize the location and version of Postfix
-database plugins and the location of the file dynamicmaps.cf.
-
-4\b4.\b.4\b4.\b.3\b3 C\bCu\bus\bst\bto\bom\bmi\biz\bzi\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx d\bdy\byn\bna\bam\bmi\bic\bca\bal\bll\bly\by-\b-l\bli\bin\bnk\bke\bed\bd l\bli\bib\bbr\bra\bar\bri\bie\bes\bs a\ban\bnd\bd d\bda\bat\bta\bab\bba\bas\bse\be p\bpl\blu\bug\bgi\bin\bns\bs
-
-C\bCu\bus\bst\bto\bom\bmi\biz\bzi\bin\bng\bg b\bbu\bui\bil\bld\bd-\b-t\bti\bim\bme\be a\ban\bnd\bd r\bru\bun\bn-\b-t\bti\bim\bme\be o\bop\bpt\bti\bio\bon\bns\bs f\bfo\bor\br P\bPo\bos\bst\btf\bfi\bix\bx d\bdy\byn\bna\bam\bmi\bic\bca\bal\bll\bly\by-\b-l\bli\bin\bnk\bke\bed\bd
-l\bli\bib\bbr\bra\bar\bri\bie\bes\bs a\ban\bnd\bd d\bda\bat\bta\bab\bba\bas\bse\be p\bpl\blu\bug\bgi\bin\bns\bs
-
-The build-time environment variables SHLIB_CFLAGS, SHLIB_RPATH, and
-SHLIB_SUFFIX provide control over how Postfix libraries and plugins are
-compiled, linked, and named.
-
- $ make makefiles SHLIB_CFLAGS=flags SHLIB_RPATH=rpath SHLIB_SUFFIX=suffix
- ...other arguments...
- $ make
-
-See section 4.7 "Overriding other compile-time features" below for details.
-
-C\bCu\bus\bst\bto\bom\bmi\biz\bzi\bin\bng\bg t\bth\bhe\be l\blo\boc\bca\bat\bti\bio\bon\bn o\bof\bf P\bPo\bos\bst\btf\bfi\bix\bx d\bdy\byn\bna\bam\bmi\bic\bca\bal\bll\bly\by-\b-l\bli\bin\bnk\bke\bed\bd l\bli\bib\bbr\bra\bar\bri\bie\bes\bs a\ban\bnd\bd d\bda\bat\bta\bab\bba\bas\bse\be
-p\bpl\blu\bug\bgi\bin\bns\bs
-
-As a reminder, the directories with Postfix dynamically-linked libraries or
-database plugins should contain only Postfix-related files. Linking these files
-into other programs is not supported.
-
-To override the default location of Postfix dynamically-linked libraries and
-database plugins specify, for example:
-
- $ make makefiles shared=yes shlib_directory=/usr/local/lib/postfix ...
-
-If you intend to upgrade Postfix without stopping the mail system, then you
-should append the Postfix release version to the shlib_directory pathname, to
-eliminate the possibility that programs will link with dynamically-linked
-libraries or database plugins from the wrong Postfix version. For example:
-
- $ make makefiles shared=yes \
- shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-The command "make makefiles name=value..." will replace the string MAIL_VERSION
-at the end of a configuration parameter value with the Postfix release version.
-Do not try to specify something like $mail_version on this command line. This
-produces inconsistent results with different versions of the make(1) command.
-
-You can change the shlib_directory setting after Postfix is built, with "make
-install" or "make upgrade". However, you may have to run ldconfig if you change
-shlib_directory after Postfix is built (the symptom is that Postfix programs
-fail because the run-time linker cannot find the files libpostfix-*.so). No
-ldconfig command is needed if you keep the files libpostfix-*.so in the
-compiled-in default $shlib_directory location.
-
- # make upgrade shlib_directory=/usr/local/lib/postfix ...
- # make install shlib_directory=/usr/local/lib/postfix ...
-
-To append the Postfix release version to the pathname if you intend to upgrade
-Postfix without stopping the mail system:
-
- # make upgrade shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
- # make install shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-See also the comments above for appending MAIL_VERSION with the "make
-makefiles" command.
-
-C\bCu\bus\bst\bto\bom\bmi\biz\bzi\bin\bng\bg t\bth\bhe\be l\blo\boc\bca\bat\bti\bio\bon\bn o\bof\bf d\bdy\byn\bna\bam\bmi\bic\bcm\bma\bap\bps\bs.\b.c\bcf\bf a\ban\bnd\bd o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs
-
-The meta_directory parameter has the same default setting as the
-config_directory parameter, typically /etc/postfix or /usr/local/etc/postfix.
-
-You can override the default meta_directory location at compile time or after
-Postfix is built. To override the default location at compile time specify, for
-example:
-
- % make makefiles meta_directory=/usr/libexec/postfix ...
-
-Here is a tip if you want to make a pathname dependent on the Postfix release
-version: the command "make makefiles name=value..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-You can override the meta_directory setting after Postfix is built, with "make
-install" or "make upgrade".
-
- # make upgrade meta_directory=/usr/libexec/postfix ...
- # make install meta_directory=/usr/libexec/postfix ...
-
-As with the command "make makefiles, the command "make install/upgrade
-name=value..." will replace the string MAIL_VERSION at the end of a
-configuration parameter value with the Postfix release version. Do not try to
-specify something like $mail_version on this command line. This produces
-inconsistent results with different versions of the make(1) command.
-
-4\b4.\b.4\b4.\b.4\b4 T\bTi\bip\bps\bs f\bfo\bor\br d\bdi\bis\bst\btr\bri\bib\bbu\but\bti\bio\bon\bn m\bma\bai\bin\bnt\bta\bai\bin\bne\ber\brs\bs
-
- * The shlib_directory parameter setting also provides the default directory
- for database plugin files with a relative pathname in the file
- dynamicmaps.cf.
-
- * The meta_directory parameter specifies the location of the files
- dynamicmaps.cf, postfix-files, and some multi-instance template files. The
- meta_directory parameter has the same default value as the config_directory
- parameter (typically, /etc/postfix or /usr/local/etc/postfix). For
- backwards compatibility with Postfix 2.6 .. 2.11, specify "meta_directory =
- $daemon_directory" in main.cf before installing or upgrading Postfix, or
- specify "meta_directory = /path/name" on the "make makefiles", "make
- install" or "make upgrade" command line.
-
- * The configuration file dynamicmaps.cf will automatically include files
- under the directory dynamicmaps.cf.d, just like the configuration file
- postfix-files will automatically include files under the directory postfix-
- files.d. Thanks to this, you can install or deinstall a database plugin
- package without having to edit postfix-files or dynamicmaps.cf. Instead,
- you give that plugin its own configuration files dynamicmaps.cf.d and
- postfix-files.d, and you add or remove those configuration files along with
- the database plugin dynamically-linked object.
-
- * Each configuration file under the directory dynamicmaps.cf.d must have the
- same format as the configuration file dynamicmaps.cf. There is no
- requirement that these configuration file *names* have a specific format.
-
- * Each configuration file under the directory postfix-files.d must have the
- same format as the configuration file postfix-files. There is no
- requirement that these configuration file *names* have a specific format.
-
-4\b4.\b.5\b5 -\b- B\bBu\bui\bil\bld\bdi\bin\bng\bg w\bwi\bit\bth\bh o\bop\bpt\bti\bio\bon\bna\bal\bl f\bfe\bea\bat\btu\bur\bre\bes\bs
-
-By default, Postfix builds as a mail system with relatively few bells and
-whistles. Support for third-party databases etc. must be configured when
-Postfix is compiled. The following documents describe how to build Postfix with
-support for optional features:
-
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
- |O\bOp\bpt\bti\bio\bon\bna\bal\bl f\bfe\bea\bat\btu\bur\bre\be |D\bDo\boc\bcu\bum\bme\ben\bnt\bt |A\bAv\bva\bai\bil\bla\bab\bbi\bil\bli\bit\bty\by|
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |Berkeley DB database |DB_README |Postfix 1.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |LMDB database |LMDB_README |Postfix 2.11|
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |LDAP database |LDAP_README |Postfix 1.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |MySQL database |MYSQL_README |Postfix 1.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |Perl compatible regular expression|PCRE_README |Postfix 1.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |PostgreSQL database |PGSQL_README |Postfix 2.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |SASL authentication |SASL_README |Postfix 1.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |SQLite database |SQLITE_README|Postfix 2.8 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |STARTTLS session encryption |TLS_README |Postfix 2.2 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-
-Note: IP version 6 support is compiled into Postfix on operating systems that
-have IPv6 support. See the IPV6_README file for details.
-
-4\b4.\b.6\b6 -\b- O\bOv\bve\ber\brr\bri\bid\bdi\bin\bng\bg b\bbu\bui\bil\blt\bt-\b-i\bin\bn p\bpa\bar\bra\bam\bme\bet\bte\ber\br d\bde\bef\bfa\bau\bul\blt\bt s\bse\bet\btt\bti\bin\bng\bgs\bs
-
-4\b4.\b.6\b6.\b.1\b1 -\b- P\bPo\bos\bst\btf\bfi\bix\bx 3\b3.\b.0\b0 a\ban\bnd\bd l\bla\bat\bte\ber\br
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
- $ make makefiles config_directory=/some/where ...other arguments...
- $ make
-
-The command "make makefiles name=value ..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
- |p\bpa\bar\bra\bam\bme\bet\bte\ber\br n\bna\bam\bme\be |t\bty\byp\bpi\bic\bca\bal\bl d\bde\bef\bfa\bau\bul\blt\bt |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |command_directory |/usr/sbin |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |config_directory |/etc/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |default_database_type|hash |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |daemon_directory |/usr/libexec/postfix|
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |data_directory |/var/lib/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |html_directory |no |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |mail_spool_directory |/var/mail |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |mailq_path |/usr/bin/mailq |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |manpage_directory |/usr/local/man |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |meta_directory |/etc/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |newaliases_path |/usr/bin/newaliases |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |openssl_path |openssl |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |queue_directory |/var/spool/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |readme_directory |no |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |sendmail_path |/usr/sbin/sendmail |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |shlib_directory |/usr/lib/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-
-4\b4.\b.6\b6.\b.2\b2 -\b- A\bAl\bll\bl P\bPo\bos\bst\btf\bfi\bix\bx v\bve\ber\brs\bsi\bio\bon\bns\bs
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
- $ make makefiles CCARGS='-DDEF_CONFIG_DIR=\"/some/where\"'
- $ make
-
-IMPORTANT: Be sure to get the quotes right. These details matter a lot.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
- |M\bMa\bac\bcr\bro\bo n\bna\bam\bme\be |d\bde\bef\bfa\bau\bul\blt\bt v\bva\bal\blu\bue\be f\bfo\bor\br |t\bty\byp\bpi\bic\bca\bal\bl d\bde\bef\bfa\bau\bul\blt\bt |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_COMMAND_DIR |command_directory |/usr/sbin |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_CONFIG_DIR |config_directory |/etc/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_DB_TYPE |default_database_type|hash |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix|
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_DATA_DIR |data_directory |/var/lib/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_HTML_DIR |html_directory |no |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_MANPAGE_DIR |manpage_directory |/usr/local/man |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_NEWALIAS_PATH|newaliases_path |/usr/bin/newaliases |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_QUEUE_DIR |queue_directory |/var/spool/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_README_DIR |readme_directory |no |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-
-Note: the data_directory parameter (for caches and pseudo-random numbers) was
-introduced with Postfix version 2.5.
-
-4\b4.\b.7\b7 -\b- O\bOv\bve\ber\brr\bri\bid\bdi\bin\bng\bg o\bot\bth\bhe\ber\br c\bco\bom\bmp\bpi\bil\ble\be-\b-t\bti\bim\bme\be f\bfe\bea\bat\btu\bur\bre\bes\bs
-
-The general method to override Postfix compile-time features is as follows:
-
- $ make makefiles name=value name=value...
- $ make
-
-The following is an extensive list of names and values.
-
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
-|N\bNa\bam\bme\be/\b/V\bVa\bal\blu\bue\be |D\bDe\bes\bsc\bcr\bri\bip\bpt\bti\bio\bon\bn |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies one or more non-default object |
-| |libraries. Postfix 3.0 and later specify some |
-| |of their database library dependencies with |
-|AUXLIBS="object_library..." |AUXLIBS_CDB, AUXLIBS_LDAP, AUXLIBS_LMDB, |
-| |AUXLIBS_MYSQL, AUXLIBS_PCRE, AUXLIBS_PGSQL, |
-| |AUXLIBS_SDBM, and AUXLIBS_SQLITE, |
-| |respectively. |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|CC=compiler_command |Specifies a non-default compiler. On many |
-| |systems, the default is gcc. |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies non-default compiler arguments, for |
-|CCARGS="compiler_arguments..."|example, a non-default include directory. The |
-| |following directives turn off Postfix features|
-| |at compile time: |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with Berkeley DB support. By |
-|| |default, Berkeley DB support is compiled in on|
-||-DNO_DB |platforms that are known to support this |
-|| |feature. If you override this, then you |
-|| |probably should also override DEF_DB_TYPE as |
-|| |described in section 4.6. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-||-DNO_DNSSEC |Do not build with DNSSEC support, even if the |
-|| |resolver library appears to support it. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with Solaris /dev/poll support. |
-||-DNO_DEVPOLL |By default, /dev/poll support is compiled in |
-|| |on Solaris versions that are known to support |
-|| |this feature. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with Linux EPOLL support. By |
-||-DNO_EPOLL |default, EPOLL support is compiled in on |
-|| |platforms that are known to support this |
-|| |feature. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with EAI (SMTPUTF8) support. By |
-||-DNO_EAI |default, EAI support is compiled in when the |
-|| |"icuuc" library and header files are found. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not require support for C99 "inline" |
-||-DNO_INLINE |functions. Instead, implement argument |
-|| |typechecks for non-printf/scanf-like functions|
-|| |with ternary operators and unreachable code. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with IPv6 support. By default, |
-|| |IPv6 support is compiled in on platforms that |
-||-DNO_IPV6 |are known to have IPv6 support. Note: this |
-|| |directive is for debugging and testing only. |
-|| |It is not guaranteed to work on all platforms.|
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with FreeBSD / NetBSD / OpenBSD /|
-||-DNO_KQUEUE |MacOSX KQUEUE support. By default, KQUEUE |
-|| |support is compiled in on platforms that are |
-|| |known to support it. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with NIS or NISPLUS support. NIS |
-||-DNO_NIS |is not available on some recent Linux |
-|| |distributions. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with NISPLUS support. NISPLUS is |
-||-DNO_NISPLUS |not available on some recent Solaris |
-|| |distributions. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with PCRE support. By default, |
-||-DNO_PCRE |PCRE support is compiled in when the pcre- |
-|| |config utility is installed. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Disable support for POSIX getpwnam_r/ |
-||-DNO_POSIX_GETPW_R |getpwuid_r. By default Postfix uses these |
-|| |where they are known to be available. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Use setjmp()/longjmp() instead of sigsetjmp()/|
-||-DNO_SIGSETJMP |siglongjmp(). By default, Postfix uses |
-|| |sigsetjmp()/siglongjmp() when they are known |
-|| |to be available. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies a non-default compiler debugging |
-|DEBUG=debug_level |level. The default is "-g". Specify DEBUG= to |
-| |turn off debugging. |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies a non-default optimization level. |
-|OPT=optimization_level |The default is "-O". Specify OPT= to turn off |
-| |optimization. |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies non-default compiler options for |
-|SHLIB_CFLAGS=flags |building Postfix dynamically-linked libraries |
-| |and database plugins. The typical default is |
-| |"-fPIC". |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies a non-default runpath for Postfix |
-|SHLIB_RPATH=rpath |dynamically-linked libraries. The typical |
-| |default is "'-Wl,-rpath,${SHLIB_DIR}'". |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies a non-default suffix for Postfix |
-|SHLIB_SUFFIX=suffix |dynamically-linked libraries and database |
-| |plugins. The typical default is ".so". |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies non-default compiler warning options|
-|WARN="warning_flags..." |for use when "make" is invoked in a source |
-| |subdirectory only. |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-
-4\b4.\b.8\b8 -\b- S\bSu\bup\bpp\bpo\bor\brt\bt f\bfo\bor\br t\bth\bho\bou\bus\bsa\ban\bnd\bds\bs o\bof\bf p\bpr\bro\boc\bce\bes\bss\bse\bes\bs
-
-The number of connections that Postfix can manage simultaneously is limited by
-the number of processes that it can run. This number in turn is limited by the
-number of files and sockets that a single process can open. For example, the
-Postfix queue manager has a separate connection to each delivery process, and
-the anvil(8) server has one connection per smtpd(8) process.
-
-Postfix version 2.4 and later have no built-in limits on the number of open
-files or sockets, when compiled on systems that support one of the following:
-
- * BSD kqueue(2) (FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9),
- * Solaris 8 /dev/poll,
- * Linux 2.6 epoll(4).
-
-With other Postfix versions or operating systems, the number of file
-descriptors per process is limited by the value of the FD_SETSIZE macro. If you
-expect to run more than 1000 mail delivery processes, you may need to override
-the definition of the FD_SETSIZE macro to make select() work correctly:
-
- $ make makefiles CCARGS=-DFD_SETSIZE=2048
-
-Warning: the above has no effect on some Linux versions. Apparently, on these
-systems the FD_SETSIZE value can be changed only by using undocumented
-interfaces. Currently, that means including <bits/types.h> directly (which is
-not allowed) and overriding the __FD_SETSIZE macro. Beware, undocumented
-interfaces can change at any time and without warning.
-
-But wait, there is more: none of this will work unless the operating system is
-configured to handle thousands of connections. See the TUNING_README guide for
-examples of how to increase the number of open sockets or files.
-
-4\b4.\b.9\b9 -\b- C\bCo\bom\bmp\bpi\bil\bli\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx,\b, a\bat\bt l\bla\bas\bst\bt
-
-If the command
-
- $ make
-
-is successful, then you can proceed to install Postfix (section 6).
-
-If the command produces compiler error messages, it may be time to search the
-web or to ask the postfix-users@postfix.org mailing list, but be sure to search
-the mailing list archives first. Some mailing list archives are linked from
-http://www.postfix.org/.
-
-5\b5 -\b- P\bPo\bor\brt\bti\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx t\bto\bo a\ban\bn u\bun\bns\bsu\bup\bpp\bpo\bor\brt\bte\bed\bd s\bsy\bys\bst\bte\bem\bm
-
-Each system type that Postfix knows is identified by a unique name. Examples:
-SUNOS5, FREEBSD4, and so on. When porting Postfix to a new system, the first
-step is to choose a SYSTEMTYPE name for the new system. You must use a name
-that includes at least the major version of the operating system (such as
-SUNOS4 or LINUX2), so that different releases of the same system can be
-supported without confusion.
-
-Add a case statement to the "makedefs" shell script in the source code top-
-level directory that recognizes the new system reliably, and that emits the
-right system-specific information. Be sure to make the code robust against user
-PATH settings; if the system offers multiple UNIX flavors (e.g. BSD and SYSV)
-be sure to build for the native flavor, instead of the emulated one.
-
-Add an "#ifdef SYSTEMTYPE" section to the central util/sys_defs.h include file.
-You may have to invent new feature macro names. Please choose sensible feature
-macro names such as HAS_DBM or FIONREAD_IN_SYS_FILIO_H.
-
-I strongly recommend against using "#ifdef SYSTEMTYPE" in individual source
-files. While this may look like the quickest solution, it will create a mess
-when newer versions of the same SYSTEMTYPE need to be supported. You're likely
-to end up placing "#ifdef" sections all over the source code again.
-
-6\b6 -\b- I\bIn\bns\bst\bta\bal\bll\bli\bin\bng\bg t\bth\bhe\be s\bso\bof\bft\btw\bwa\bar\bre\be a\baf\bft\bte\ber\br s\bsu\buc\bcc\bce\bes\bss\bsf\bfu\bul\bl c\bco\bom\bmp\bpi\bil\bla\bat\bti\bio\bon\bn
-
-This text describes how to install Postfix from source code. See the
-PACKAGE_README file if you are building a package for distribution to other
-systems.
-
-6\b6.\b.1\b1 -\b- S\bSa\bav\bve\be e\bex\bxi\bis\bst\bti\bin\bng\bg S\bSe\ben\bnd\bdm\bma\bai\bil\bl b\bbi\bin\bna\bar\bri\bie\bes\bs
-
-IMPORTANT: if you are REPLACING an existing Sendmail installation with Postfix,
-you may need to keep the old sendmail program running for some time in order to
-flush the mail queue.
-
- * Some systems implement a mail switch mechanism where different MTAs
- (Postfix, Sendmail, etc.) can be installed at the same time, while only one
- of them is actually being used. Examples of such switching mechanisms are
- the FreeBSD mailwrapper(8) or the Linux mail switch. In this case you
- should try to "flip" the switch to "Postfix" before installing Postfix.
-
- * If your system has no mail switch mechanism, execute the following commands
- (your sendmail, newaliases and mailq programs may be in a different place):
-
- # mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
- # mv /usr/bin/newaliases /usr/bin/newaliases.OFF
- # mv /usr/bin/mailq /usr/bin/mailq.OFF
- # chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF \
- /usr/bin/mailq.OFF
-
-6\b6.\b.2\b2 -\b- C\bCr\bre\bea\bat\bte\be a\bac\bcc\bco\bou\bun\bnt\bt a\ban\bnd\bd g\bgr\bro\bou\bup\bps\bs
-
-Before you install Postfix for the first time you need to create an account and
-a group:
-
- * Create a user account "postfix" with a user id and group id that are not
- used by any other user account. Preferably, this is an account that no-one
- can log into. The account does not need an executable login shell, and
- needs no existing home directory. My password and group file entries look
- like this:
-
- /etc/passwd:
- postfix:*:12345:12345:postfix:/no/where:/no/shell
-
- /etc/group:
- postfix:*:12345:
-
- Note: there should be no whitespace before "postfix:".
-
- * Create a group "postdrop" with a group id that is not used by any other
- user account. Not even by the postfix user account. My group file entry
- looks like:
-
- /etc/group:
- postdrop:*:54321:
-
- Note: there should be no whitespace before "postdrop:".
-
-6\b6.\b.3\b3 -\b- I\bIn\bns\bst\bta\bal\bll\bl P\bPo\bos\bst\btf\bfi\bix\bx
-
-To install or upgrade Postfix from compiled source code, run one of the
-following commands as the super-user:
-
- # make install (interactive version, first time install)
-
- # make upgrade (non-interactive version, for upgrades)
-
- * The interactive version ("make install") asks for pathnames for Postfix
- data and program files, and stores your preferences in the main.cf file. I\bIf\bf
- y\byo\bou\bu d\bdo\bon\bn'\b't\bt w\bwa\ban\bnt\bt P\bPo\bos\bst\btf\bfi\bix\bx t\bto\bo o\bov\bve\ber\brw\bwr\bri\bit\bte\be n\bno\bon\bn-\b-P\bPo\bos\bst\btf\bfi\bix\bx "\b"s\bse\ben\bnd\bdm\bma\bai\bil\bl"\b",\b, "\b"m\bma\bai\bil\blq\bq"\b" a\ban\bnd\bd
- "\b"n\bne\bew\bwa\bal\bli\bia\bas\bse\bes\bs"\b" f\bfi\bil\ble\bes\bs,\b, s\bsp\bpe\bec\bci\bif\bfy\by p\bpa\bat\bth\bhn\bna\bam\bme\bes\bs t\bth\bha\bat\bt e\ben\bnd\bd i\bin\bn "\b".\b.p\bpo\bos\bst\btf\bfi\bix\bx"\b".
-
- * The non-interactive version ("make upgrade") needs the /etc/postfix/main.cf
- file from a previous installation. If the file does not exist, use
- interactive installation ("make install") instead.
-
- * If you specify name=value arguments on the "make install" or "make upgrade"
- command line, then these will take precedence over compiled-in default
- settings or main.cf settings.
-
- The command "make install/upgrade name=value ..." will replace the string
- MAIL_VERSION at the end of a configuration parameter value with the Postfix
- release version. Do not try to specify something like $mail_version on this
- command line. This produces inconsistent results with different versions of
- the make(1) command.
-
-6\b6.\b.4\b4 -\b- C\bCo\bon\bnf\bfi\big\bgu\bur\bre\be P\bPo\bos\bst\btf\bfi\bix\bx
-
-Proceed to the section on how you wish to run Postfix on your particular
-machine:
-
- * Send mail only, without changing an existing Sendmail installation (section
- 7).
-
- * Send and receive mail via a virtual host interface, still without any
- change to an existing Sendmail installation (section 8).
-
- * Run Postfix instead of Sendmail (section 9).
-
-7\b7 -\b- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx t\bto\bo s\bse\ben\bnd\bd m\bma\bai\bil\bl o\bon\bnl\bly\by
-
-If you are going to use Postfix to send mail only, there is no need to change
-your existing sendmail setup. Instead, set up your mail user agent so that it
-calls the Postfix sendmail program directly.
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf, in order
-to avoid conflicts with the real sendmail. Put a "#" character in front of the
-line that defines the smtpd service:
-
- /etc/postfix/master.cf:
- #smtp inet n - n - - smtpd
-
-Start the Postfix system:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-8\b8 -\b- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx t\bto\bo s\bse\ben\bnd\bd a\ban\bnd\bd r\bre\bec\bce\bei\biv\bve\be m\bma\bai\bil\bl v\bvi\bia\ba v\bvi\bir\brt\btu\bua\bal\bl i\bin\bnt\bte\ber\brf\bfa\bac\bce\be
-
-Alternatively, you can use the Postfix system to send AND receive mail while
-leaving your Sendmail setup intact, by running Postfix on a virtual interface
-address. Simply configure your mail user agent to directly invoke the Postfix
-sendmail program.
-
-To create a virtual network interface address, study your system ifconfig
-manual page. The command syntax could be any of:
-
- # i
\bif
\bfc
\bco
\bon
\bnf
\bfi
\big
\bg l
\ble
\be0
\b0:
\b:1
\b1 <
\b<a
\bad
\bdd
\bdr
\bre
\bes
\bss
\bs>
\b> n
\bne
\bet
\btm
\bma
\bas
\bsk
\bk <
\b<m
\bma
\bas
\bsk
\bk>
\b> u
\bup
\bp
- # i
\bif
\bfc
\bco
\bon
\bnf
\bfi
\big
\bg e
\ben
\bn0
\b0 a
\bal
\bli
\bia
\bas
\bs <
\b<a
\bad
\bdd
\bdr
\bre
\bes
\bss
\bs>
\b> n
\bne
\bet
\btm
\bma
\bas
\bsk
\bk 2
\b25
\b55
\b5.
\b.2
\b25
\b55
\b5.
\b.2
\b25
\b55
\b5.
\b.2
\b25
\b55
\b5
-
-In the /etc/postfix/main.cf file, I would specify
-
- /etc/postfix/main.cf:
- myhostname = virtual.host.tld
- inet_interfaces = $myhostname
- mydestination = $myhostname
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-Start the Postfix system:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-9\b9 -\b- R\bRu\bun\bnn\bni\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx i\bin\bns\bst\bte\bea\bad\bd o\bof\bf S\bSe\ben\bnd\bdm\bma\bai\bil\bl
-
-Prior to installing Postfix you should save any existing sendmail program files
-as described in section 6. Be sure to keep the old sendmail running for at
-least a couple days to flush any unsent mail. To do so, stop the sendmail
-daemon and restart it as:
-
- # /usr/sbin/sendmail.OFF -q
-
-Note: this is old sendmail syntax. Newer versions use separate processes for
-mail submission and for running the queue.
-
-After you have visited the "Mandatory configuration file edits" section below,
-you can start the Postfix system with:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-1\b10\b0 -\b- M\bMa\ban\bnd\bda\bat\bto\bor\bry\by c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn f\bfi\bil\ble\be e\bed\bdi\bit\bts\bs
-
-Note: the material covered in this section is covered in more detail in the
-BASIC_CONFIGURATION_README document. The information presented below is
-targeted at experienced system administrators.
-
-1\b10\b0.\b.1\b1 -\b- P\bPo\bos\bst\btf\bfi\bix\bx c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn f\bfi\bil\ble\bes\bs
-
-By default, Postfix configuration files are in /etc/postfix. The two most
-important files are main.cf and master.cf; these files must be owned by root.
-Giving someone else write permission to main.cf or master.cf (or to their
-parent directories) means giving root privileges to that person.
-
-In /etc/postfix/main.cf, you will have to set up a minimal number of
-configuration parameters. Postfix configuration parameters resemble shell
-variables, with two important differences: the first one is that Postfix does
-not know about quotes like the UNIX shell does.
-
-You specify a configuration parameter as:
-
- /etc/postfix/main.cf:
- parameter = value
-
-and you use it by putting a "$" character in front of its name:
-
- /etc/postfix/main.cf:
- other_parameter = $parameter
-
-You can use $parameter before it is given a value (that is the second main
-difference with UNIX shell variables). The Postfix configuration language uses
-lazy evaluation, and does not look at a parameter value until it is needed at
-runtime.
-
-Whenever you make a change to the main.cf or master.cf file, execute the
-following command in order to refresh a running mail system:
-
- # postfix reload
-
-1\b10\b0.\b.2\b2 -\b- D\bDe\bef\bfa\bau\bul\blt\bt d\bdo\bom\bma\bai\bin\bn f\bfo\bor\br u\bun\bnq\bqu\bua\bal\bli\bif\bfi\bie\bed\bd a\bad\bdd\bdr\bre\bes\bss\bse\bes\bs
-
-First of all, you must specify what domain will be appended to an unqualified
-address (i.e. an address without @domain.tld). The "myorigin" parameter
-defaults to the local hostname, but that is probably OK only for very small
-sites.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- myorigin = $myhostname (send mail as "user@$myhostname")
- myorigin = $mydomain (send mail as "user@$mydomain")
-
-1\b10\b0.\b.3\b3 -\b- W\bWh\bha\bat\bt d\bdo\bom\bma\bai\bin\bns\bs t\bto\bo r\bre\bec\bce\bei\biv\bve\be l\blo\boc\bca\bal\bll\bly\by
-
-Next you need to specify what mail addresses Postfix should deliver locally.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- mydestination = $myhostname, localhost.$mydomain, localhost
- mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
- mydestination = $myhostname
-
-The first example is appropriate for a workstation, the second is appropriate
-for the mailserver for an entire domain. The third example should be used when
-running on a virtual host interface.
-
-1\b10\b0.\b.4\b4 -\b- P\bPr\bro\box\bxy\by/\b/N\bNA\bAT\bT i\bin\bnt\bte\ber\brf\bfa\bac\bce\be a\bad\bdd\bdr\bre\bes\bss\bse\bes\bs
-
-The proxy_interfaces parameter specifies all network addresses that Postfix
-receives mail on by way of a proxy or network address translation unit. You may
-specify symbolic hostnames instead of network addresses.
-
-IMPORTANT: You must specify your proxy/NAT external addresses when your system
-is a backup MX host for other domains, otherwise mail delivery loops will
-happen when the primary MX host is down.
-
-Example: host behind NAT box running a backup MX host.
-
- /etc/postfix/main.cf:
- proxy_interfaces = 1.2.3.4 (the proxy/NAT external network address)
-
-1\b10\b0.\b.5\b5 -\b- W\bWh\bha\bat\bt l\blo\boc\bca\bal\bl c\bcl\bli\bie\ben\bnt\bts\bs t\bto\bo r\bre\bel\bla\bay\by m\bma\bai\bil\bl f\bfr\bro\bom\bm
-
-If your machine is on an open network then you must specify what client IP
-addresses are authorized to relay their mail through your machine into the
-Internet. The default setting includes all subnetworks that the machine is
-attached to. This may give relay permission to too many clients. My own
-settings are:
-
- /etc/postfix/main.cf:
- mynetworks = 168.100.189.0/28, 127.0.0.0/8
-
-1\b10\b0.\b.6\b6 -\b- W\bWh\bha\bat\bt r\bre\bel\bla\bay\by d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bns\bs t\bto\bo a\bac\bcc\bce\bep\bpt\bt f\bfr\bro\bom\bm s\bst\btr\bra\ban\bng\bge\ber\brs\bs
-
-If your machine is on an open network then you must also specify whether
-Postfix will forward mail from strangers. The default setting will forward mail
-to all domains (and subdomains of) what is listed in $mydestination. This may
-give relay permission for too many destinations. Recommended settings (use only
-one):
-
- /etc/postfix/main.cf:
- relay_domains = (do not forward mail from strangers)
- relay_domains = $mydomain (my domain and subdomains)
- relay_domains = $mydomain, other.domain.tld, ...
-
-1\b10\b0.\b.7\b7 -\b- O\bOp\bpt\bti\bio\bon\bna\bal\bl:\b: c\bco\bon\bnf\bfi\big\bgu\bur\bre\be a\ba s\bsm\bma\bar\brt\bt h\bho\bos\bst\bt f\bfo\bor\br r\bre\bem\bmo\bot\bte\be d\bde\bel\bli\biv\bve\ber\bry\by
-
-If you're behind a firewall, you should set up a relayhost. If you can, specify
-the organizational domain name so that Postfix can use DNS lookups, and so that
-it can fall back to a secondary MX host when the primary MX host is down.
-Otherwise just specify a hard-coded hostname.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- relayhost = $mydomain
- relayhost = [mail.$mydomain]
-
-The form enclosed with [] eliminates DNS MX lookups.
-
-By default, the SMTP client will do DNS lookups even when you specify a relay
-host. If your machine has no access to a DNS server, turn off SMTP client DNS
-lookups like this:
-
- /etc/postfix/main.cf:
- disable_dns_lookups = yes
-
-The STANDARD_CONFIGURATION_README file has more hints and tips for firewalled
-and/or dial-up networks.
-
-1\b10\b0.\b.8\b8 -\b- C\bCr\bre\bea\bat\bte\be t\bth\bhe\be a\bal\bli\bia\bas\bse\bes\bs d\bda\bat\bta\bab\bba\bas\bse\be
-
-Postfix uses a Sendmail-compatible aliases(5) table to redirect mail for local
-(8) recipients. Typically, this information is kept in two files: in a text
-file /etc/aliases and in an indexed file /etc/aliases.db. The command "postconf
-alias_maps" will tell you the exact location of the text file.
-
-First, be sure to update the text file with aliases for root, postmaster and
-"postfix" that forward mail to a real person. Postfix has a sample aliases file
-/etc/postfix/aliases that you can adapt to local conditions.
-
- /etc/aliases:
- root: you
- postmaster: root
- postfix: root
- bin: root
- etcetera...
-
-Note: there should be no whitespace before the ":".
-
-Finally, build the indexed aliases file with one of the following commands:
-
- # newaliases
- # sendmail -bi
-
-1\b11\b1 -\b- T\bTo\bo c\bch\bhr\bro\boo\bot\bt o\bor\br n\bno\bot\bt t\bto\bo c\bch\bhr\bro\boo\bot\bt
-
-Postfix daemon processes can be configured (via master.cf) to run in a chroot
-jail. The processes run at a fixed low privilege and with access only to the
-Postfix queue directories (/var/spool/postfix). This provides a significant
-barrier against intrusion. The barrier is not impenetrable, but every little
-bit helps.
-
-With the exception of Postfix daemons that deliver mail locally and/or that
-execute non-Postfix commands, every Postfix daemon can run chrooted.
-
-Sites with high security requirements should consider to chroot all daemons
-that talk to the network: the smtp(8) and smtpd(8) processes, and perhaps also
-the lmtp(8) client. The author's own porcupine.org mail server runs all daemons
-chrooted that can be chrooted.
-
-The default /etc/postfix/master.cf file specifies that no Postfix daemon runs
-chrooted. In order to enable chroot operation, edit the file /etc/postfix/
-master.cf. Instructions are in the file.
-
-Note that a chrooted daemon resolves all filenames relative to the Postfix
-queue directory (/var/spool/postfix). For successful use of a chroot jail, most
-UNIX systems require you to bring in some files or device nodes. The examples/
-chroot-setup directory in the source code distribution has a collection of
-scripts that help you set up Postfix chroot environments on different operating
-systems.
-
-Additionally, you almost certainly need to configure syslogd so that it listens
-on a socket inside the Postfix queue directory. Examples for specific systems:
-
-FreeBSD:
-
- # mkdir -p /var/spool/postfix/var/run
- # syslogd -l /var/spool/postfix/var/run/log
-
-Linux, OpenBSD:
-
- # mkdir -p /var/spool/postfix/dev
- # syslogd -a /var/spool/postfix/dev/log
-
-1\b12\b2 -\b- C\bCa\bar\bre\be a\ban\bnd\bd f\bfe\bee\bed\bdi\bin\bng\bg o\bof\bf t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx s\bsy\bys\bst\bte\bem\bm
-
-Postfix daemon processes run in the background, and log problems and normal
-activity to the syslog daemon. The names of logfiles are specified in /etc/
-syslog.conf. At the very least you need something like:
-
- /etc/syslog.conf:
- mail.err /dev/console
- mail.debug /var/log/maillog
-
-IMPORTANT: the syslogd will not create files. You must create them before
-(re)starting syslogd.
-
-IMPORTANT: on Linux you need to put a "-" character before the pathname, e.g.,
--/var/log/maillog, otherwise the syslogd will use more system resources than
-Postfix does.
-
-Hopefully, the number of problems will be small, but it is a good idea to run
-every night before the syslog files are rotated:
-
- # postfix check
- # egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
- * The first line (postfix check) causes Postfix to report file permission/
- ownership discrepancies.
-
- * The second line looks for problem reports from the mail software, and
- reports how effective the relay and junk mail access blocks are. This may
- produce a lot of output. You will want to apply some postprocessing to
- eliminate uninteresting information.
-
-The DEBUG_README document describes the meaning of the "warning" etc. labels in
-Postfix logging.
-
Disable -DSNAPSHOT and -DNONPROD in makedefs.
+ Fix bold "[" and "]" in manpages; these are not part of the
+ command line.
+
+ Add Google credits to manpages.
+
Remove this file from the stable release.
Things to do after the stable release:
Specify WARN_UNUSED_RESULT for all library functions that
pass, deliver, bounce or defer a delivery request.
- Specify WARN_UNUSED_RESULT for mac_expand(), after making
- smtp_reply_footer() undoable.
-
- Type-checking wrappers for htable(3), ctable(3) and other
- modules that take and return a void* pointer. This is
- the next best thing to C++ style HTABLE<payload_type>.
+ Invent some kind of type-checking wrappers for htable(3),
+ ctable(3) and other modules that take and return a void*
+ pointer. We already did that for variadic functions.
TLS certificate provenance: indicate whether a subject
name/issuer are verified or not (for example, change the
$manpage_directory/man1/postconf.1:f:root:-:644
$manpage_directory/man1/postdrop.1:f:root:-:644
$manpage_directory/man1/postfix.1:f:root:-:644
+$manpage_directory/man1/postfix-tls.1:f:root:-:644
$manpage_directory/man1/postkick.1:f:root:-:644
$manpage_directory/man1/postlock.1:f:root:-:644
$manpage_directory/man1/postlog.1:f:root:-:644
#++
# NAME
-# postfix-tls-script 1
+# postfix-tls 1
# SUMMARY
-# Postfix TLS support management
+# Postfix TLS management
# SYNOPSIS
-# \fBpostfix-tls-script\fR \fIcommand\fR
+# \fBpostfix tls\fR \fIsubcommand\fB ...\fR
# DESCRIPTION
-# The \fBpostfix-tls-script\fR script enables support for opportunistic
-# TLS in the Postfix SMTP client and/or server. It generates or updates
-# TLS private keys and and self-signed certificates. It executes in an
-# environment that is set up by the \fBpostfix\fR(1) command.
+# The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature enables
+# opportunistic TLS in the Postfix SMTP client and/or server,
+# and manages Postfix SMTP server private keys and certificates.
+#
+# The following subcommands are available:
+# .IP "\fBenable-client\fR [\fB-r \fIrandsource\fR]"
+# Enable opportunistic TLS in the Postfix SMTP client, if all
+# SMTP client TLS settings are at their default values.
+# Otherwise, suggest parameter settings without making any
+# changes.
+# .sp
+# Specify \fIrandsource\fR to update the value of the
+# \fBtls_random_source\fR configuration parameter (typically,
+# /dev/urandom). Prepend \fBdev:\fR to device paths or
+# \fBegd:\fR to EGD socket paths.
+# .IP "\fBenable-server\fR [\fB-r \fIrandsource\fR] [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+# Create a new private key and self-signed server certificate
+# and enable opportunistic TLS in the Postfix SMTP server,
+# if all SMTP server TLS settings are at their default values.
+# Otherwise, suggest parameter settings without making any
+# changes.
+# .sp
+# The \fIrandsource\fR parameter is as with \fBenable-client\fR
+# above, and the remaining options are as with \fBnew-server-key\fR
+# below.
+# .IP "\fBnew-server-key\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+# Create a new private key and self-signed server certificate,
+# but do not deploy them. Log and display commands to deploy
+# the new key and corresponding certificate. Also log and
+# display commands to output a corresponding CSR or TLSA
+# records which may be needed to obtain a CA certificate or
+# to update DNS before the new key can be deployed.
+# .sp
+# The \fIalgorithm\fR defaults to \fBrsa\fR, and \fIbits\fR
+# defaults to 2048. If you choose the \fBecdsa\fR \fIalgorithm\fR
+# then \fIbits\fR will be an EC curve name (by default
+# \fBsecp256r1\fR, also known as prime256v1). Curves other
+# than \fBsecp256r1\fR, \fBsecp384r1\fR or \fBsecp521r1\fR
+# are unlikely to be widely interoperable. When generating
+# EC keys, use one of these three. DSA keys are obsolete and
+# are not supported.
+# .sp
+# Note: ECDSA support requires OpenSSL 1.0.0 or later and may
+# not be available on your system. Not all client systems
+# will support ECDSA, so you'll generally want to deploy both
+# RSA and ECDSA certificates to make use of ECDSA with
+# compatible clients and RSA with the rest. If you want to
+# deploy certificate chains with intermediate CAs for both
+# RSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier
+# versions may not handle multiple chain files correctly.
+# .sp
+# The first \fIhostname\fR argument will be the \fBCommonName\fR
+# of both the subject and issuer of the self-signed certificate.
+# It, and any additional \fIhostname\fR arguments, will also
+# be listed as DNS alternative names in the certificate. If
+# no \fIhostname\fR is provided the value of the \fBmyhostname\fR
+# main.cf parameter will be used.
+# .sp
+# For RSA, the generated private key and certificate files
+# are named \fBkey-\fIyyyymmdd-hhmmss\fB.pem\fR and
+# \fBcert-\fIyyyymmdd-hhmmss\fB.pem\fR, where \fIyyyymmdd\fR
+# is the calendar date and \fIhhmmss\fR is the time of day
+# in UTC. For ECDSA, the file names start with \fBeckey-\fR
+# and \fBeccert-\fR instead of \fBkey-\fR and \fBcert-\fR
+# respectively.
+# .sp
+# Before deploying the new key and certificate with DANE,
+# update the DNS with new DANE TLSA records, then wait for
+# secondary nameservers to update and then for stale records
+# in remote DNS caches to expire.
+# .sp
+# Before deploying a new CA certificate make sure to include
+# all the required intermediate issuing CA certificates in
+# the certificate chain file. The server certificate must
+# be the first certificate in the chain file. Overwrite and
+# deploy the file with the original self-signed certificate
+# that was generated together with the key.
+# .IP "\fBnew-server-cert\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+# This is just like \fBnew-server-key\fR except that, rather
+# than generating a new private key, any currently deployed
+# private key is copied to the new key file. Thus if you're
+# publishing DANE TLSA "3 1 1" or "3 1 2" records, there is
+# no need to update DNS records. The \fIalgorithm\fB and
+# \fIbits\fR arguments are used only if no key of the same
+# algorithm is already configured.
+# .sp
+# This command is rarely needed, because the self-signed
+# certificates generated have a 100-year nominal expiration
+# time. The underlying public key algorithms may well be
+# obsoleted by quantum computers long before then.
+# .sp
+# The most plausible reason for using this command is when
+# the system hostname changes, and you'd like the name in the
+# certificate to match the new hostname (not required for
+# DANE "3 1 1", but some needlessly picky non-DANE opportunistic
+# TLS clients may log warnings or even refuse to communicate).
+# .IP "\fBdeploy-server-cert \fIcertfile\fB \fIkeyfile\fR"
+# This subcommand deploys the certificates in \fIcertfile\fR
+# and private key in \fIkeyfile\fR (which are typically
+# generated by the commands above, which will also log and
+# display the full command needed to deploy the generated key
+# and certificate). After the new certificate and key are
+# deployed any obsolete keys and certificates may be removed
+# by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames
+# are relative to the Postfix configuration directory.
+# .IP "\fBoutput-server-csr\fR [\fB-k \fIkeyfile\fR] [\fIhostname\fB
+# ...\fR]"
+# Write to stdout a certificate signing request (CSR) for the
+# specified \fIkeyfile\fR.
+# .sp
+# Instead of a filename, \fIkeyfile\fR may specify one of the
+# supported key algorithm names (see "\fBpostconf -T
+# public-key-algorithms\fR"). In that case, the corresponding
+# setting from main.cf is used to locate the \fIkeyfile\fR.
+# The default \fIkeyfile\fR value is \fBrsa\fR.
+# .sp
+# Zero or more \fIhostname\fR values can be specified. The
+# default \fIhostname\fR is the value of \fBmyhostname\fR
+# main.cf parameter.
+# .IP "\fBoutput-server-tlsa\fR [\fB-h \fIhostname\fR] [\fIkeyfile\fB ...\fR]"
+# Write to stdout a DANE TLSA RRset suitable for a port 25
+# SMTP server on host \fIhostname\fR with keys from any of
+# the specified \fIkeyfile\fR values. The default \fIhostname\fR
+# is the value of the \fBmyhostname\fR main.cf parameter.
+# .sp
+# Instead of filenames, the \fIkeyfile\fR list may specify
+# names of supported public key algorithms (see "\fBpostconf
+# -T public-key-algorithms\fR"). In that case, the actual
+# \fIkeyfile\fR list uses the values of the corresponding
+# Postfix server TLS key file parameters. If a parameter
+# value is empty or equal to \fBnone\fR, then no TLSA record
+# is output for that algorithm.
+# .sp
+# The default \fIkeyfile\fR list consists of the two supported
+# algorithms \fBrsa\fR and \fBecdsa\fR.
+# CONFIGURATION PARAMETERS
+# .ad
+# .fi
+# The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature reads
+# or updates the following configuration parameters.
+# .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
+# The location of all postfix administrative commands.
+# .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
+# The default location of the Postfix main.cf and master.cf
+# configuration files.
+# .IP "\fBopenssl_path (openssl)\fR"
+# The location of the OpenSSL command line program \fBopenssl\fR(1).
+# .IP "\fBsmtp_tls_loglevel (0)\fR"
+# Enable additional Postfix SMTP client logging of TLS activity.
+# .IP "\fBsmtp_tls_security_level (empty)\fR"
+# The default SMTP TLS security level for the Postfix SMTP client;
+# when a non-empty value is specified, this overrides the obsolete
+# parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+# .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
+# Name of the file containing the optional Postfix SMTP client
+# TLS session cache.
+# .IP "\fBsmtpd_tls_cert_file (empty)\fR"
+# File with the Postfix SMTP server RSA certificate in PEM format.
+# .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
+# File with the Postfix SMTP server ECDSA certificate in PEM format.
+# .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
+# File with the Postfix SMTP server ECDSA private key in PEM format.
+# .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
+# File with the Postfix SMTP server RSA private key in PEM format.
+# .IP "\fBsmtpd_tls_loglevel (0)\fR"
+# Enable additional Postfix SMTP server logging of TLS activity.
+# .IP "\fBsmtpd_tls_received_header (no)\fR"
+# Request that the Postfix SMTP server produces Received: message
+# headers that include information about the protocol and cipher used,
+# as well as the remote SMTP client CommonName and client certificate issuer
+# CommonName.
+# .IP "\fBsmtpd_tls_security_level (empty)\fR"
+# The SMTP TLS security level for the Postfix SMTP server; when
+# a non-empty value is specified, this overrides the obsolete parameters
+# smtpd_use_tls and smtpd_enforce_tls.
+# .IP "\fBtls_random_source (see 'postconf -d' output)\fR"
+# The external entropy source for the in-memory \fBtlsmgr\fR(8) pseudo
+# random number generator (PRNG) pool.
# SEE ALSO
# master(8) Postfix master program
# postfix(1) Postfix administrative interface
# Viktor Dukhovni
#--
+RSA_BITS=2048 # default
+EC_CURVE=secp256r1 # default
+
case $daemon_directory in
"") echo This script must be run by the postfix command. 1>&2
echo Do not run directly. 1>&2
- exit 1
+ exit 1;;
esac
umask 022
SHELL=/bin/sh
+postconf=$command_directory/postconf
+LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-tls-script"
+INFO="$LOGGER -p info"
+WARN="$LOGGER -p warn"
+ERROR="$LOGGER -p error"
+FATAL="$LOGGER -p fatal"
+
#
# Can't do much without these in place.
#
exit 1
}
-postconf=$command_directory/postconf
-LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-tls-script"
-INFO="$LOGGER -p info"
-WARN="$LOGGER -p warn"
-FATAL="$LOGGER -p fatal"
+check_getopt() {
+ OPTIND=1
+ a=
+ b=
+ c=
+ set -- -a 1 -b 2 -c -- -pos
+ while getopts :a:b:c o
+ do
+ case $o in
+ a) a="${OPTARG}";;
+ b) b="${OPTARG}";;
+ c) c=3;;
+ *) return 1;;
+ esac
+ done
+ shift `expr ${OPTIND} - 1`
+ if [ "${a}" != "1" -o "${b}" != 2 -o "${c}" != 3 \
+ -o "${OPTIND}" -ne 7 -o "$1" != "-pos" ]; then
+ return 1
+ fi
+}
-# Make this our *last* "cd", so all the key/cert generation runs in the
-# configuration directory.
-#
-cd $config_directory || {
- $FATAL no Postfix configuration directory $config_directory!
+check_getopt || {
+ $FATAL "/bin/sh does not implement a compatible 'getopts' built-in"
exit 1
}
-#$postconf -d | grep '^smtpd_tls_cert_file =' >/dev/null || {
-# mail_version=`$postconf -dh mail_version`
-# $FATAL "Postfix $mail_version is not compiled with TLS support"
-# exit 1
-#}
+# ----- BEGIN OpenSSL-specific -----
# No need to set the location of the OpenSSL command in each Postfix instance,
# the value from the default instance is used for all instances.
exit 1
}
+# ----- END OpenSSL-specific -----
+
+# Make this our *last* "cd", so all the key/cert generation runs in the
+# configuration directory.
+#
+test -n "$config_directory" && cd $config_directory || {
+ $FATAL no Postfix configuration directory $config_directory!
+ exit 1
+}
+
+# Do we support TLS and if so which algorithms?
+#
+$postconf -T compile-version | grep . >/dev/null || {
+ mail_version=`$postconf -dh mail_version`
+ $FATAL "Postfix $mail_version is not compiled with TLS support"
+ exit 1
+}
+rsa=
+ecdsa=
+for _algo in `$postconf -T public-key-algorithms | egrep '^(rsa|ecdsa)$'`
+do
+ eval $_algo=$_algo
+done
+
+# ----- BEGIN OpenSSL-specific -----
+
+if [ -n "${ecdsa}" ]; then
+ $openssl ecparam -name secp256r1 >/dev/null 2>&1 || {
+ cat <<-EOM | $WARN
+ Postfix supports ECDSA, but the $openssl command does not. Consider
+ setting the openssl_path parameter to a more capable version of the
+ command-line utility than $openssl (with PATH=$PATH).
+ EOM
+ ecdsa=
+ }
+fi
+if [ -n "${rsa}" ]; then
+ DEFALG=rsa
+elif [ -n "${ecdsa}" ]; then
+ DEFALG=ecdsa
+else
+ mail_version=`$postconf -dh mail_version`
+ $FATAL "Postfix $mail_version does not support either RSA or ECDSA"
+ exit 1
+fi
+
+# Make sure stdin is open when testing
+if [ -r /dev/stdin ] < /dev/null; then
+ stdin=/dev/stdin
+elif [ -r /dev/fd/0 ] </dev/null; then
+ stdin=/dev/fd/0
+else
+ $FATAL No /dev/fd/0 or /dev/stdin found
+ exit 1
+fi
+
hex_sha256() {
$openssl dgst -binary -sha256 | od -An -vtx1 | tr -d ' \012'
}
#
null256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
tmp=`hex_sha256 </dev/null 2>/dev/null`
-if [ "$tmp" != "$null256" ]; then
+if [ "${tmp}" != "${null256}" ]; then
cat <<EOF >&2
Your $openssl does not support the SHA2-256 digest algorithm. To enable
'postfix tls', install an OpenSSL that does. Install its openssl(1) command
exit 1
fi
-if [ -r /dev/stdin ]; then
- stdin=/dev/stdin
-elif [ -r /dev/fd/0 ]; then
- stdin=/dev/fd/0
-else
- $FATAL No /dev/fd/0 or /dev/stdin found
- exit 1
-fi
-
read_key() {
[ -n "$1" -a -f "$1" ] || return 1
# Old OpenSSL versions return success even for unsupported sub-commands!
- # So we inspect the output instead. Don't prompt if the key is password
+ # So we inspect the output instead. Don't prompt if the key is password
# protected.
#
- for cmd in pkey rsa; do
- $openssl $cmd -passin "pass:umask 077" -in "$1" |
- grep . && return 0
- done 2>/dev/null
+ while read cmd key_algo key_param cert_param; do
+ $openssl $cmd -passin "pass:umask 077" -in "$1" |
+ grep . && return 0
+ done 2>/dev/null <<-EOF
+ rsa rsa smtpd_tls_key_file smtpd_tls_cert_file
+ ec ecdsa smtpd_tls_eckey_file smtpd_tls_eccert_file
+ EOF
return 1
}
# Old OpenSSL versions return success even for unsupported sub-commands!
# So we inspect the output instead.
#
- for cmd in pkey rsa; do
- $openssl $cmd -passin "pass:umask 077" -in "$1" -pubout |
- $openssl $cmd -pubin -outform DER |
- hex_sha256 | egrep -v "$null256" && return 0
+ for cmd in ec rsa; do
+ $openssl $cmd -passin "pass:umask 077" -in "$1" -pubout |
+ $openssl $cmd -pubin -outform DER |
+ hex_sha256 | egrep -v "${null256}" && return 0
done 2>/dev/null
return 1
}
-set_fqdn() {
- if [ -n "$1" ]; then fqdn=$1; return 0; fi
- fqdn=`$postconf -xh myhostname` || return 1
- case $fqdn in /*) fqdn=`cat "${fqdn}"` || return 1;; esac
-}
+cert_pubkey_dgst() {
+ [ -n "$1" -a -f "$1" ] || return 1
-set_key() {
- # Re-use any original private key
+ # Old OpenSSL versions return success even for unsupported sub-commands!
+ # So we inspect the output instead.
#
- key=$1
- if [ -z "$key" ]
- then
- key=`$postconf -nxh smtpd_tls_key_file`
- if [ -z "$key" ]; then
- $FATAL "no private key configured"
- return 1
- fi
- fi
- read_key "${key}" >/dev/null && return 0
- $FATAL "no private key found in file: $key"
+ for cmd in ec rsa; do
+ $openssl x509 -pubkey -noout -in "$1" |
+ $openssl $cmd -pubin -outform DER |
+ hex_sha256 | egrep -v "${null256}" && return 0
+ done 2>/dev/null
return 1
}
-new_cert() {
- set_fqdn
- stamp=`date +%Y%m%d-%H%M%S`
+copy_key() {
+ _algo=$1; shift
+ _bits=$1; shift
+ _fold=$1; shift
+ _fnew=$1; shift
+ _umask=`umask`
+
+ umask 077
+ read_key "${_fold}" > "${_fnew}" # sets key_algo of current key
+ _ret=$?
+ umask "${_umask}"
- newcert="cert-${stamp}.pem"
- conf_cert_file="\${config_directory}/${newcert}"
- if [ -r "${newcert}" ]; then
- $FATAL "New certificate file already exists: ${newcert}"
+ if [ "${_ret}" -ne 0 ]; then
+ $FATAL "Error copying private key from '${_fold}' to '${_fnew}'"
return 1
fi
-
- newkey="key-${stamp}.pem"
- conf_key_file="\${config_directory}/${newkey}"
- if [ -r "${newkey}" ]; then
- $FATAL "New key file already exists: ${newkey}"
+ if [ "${key_algo}" != "${_algo}" ]; then
+ $FATAL "Key algorithm '$key_algo' of '${_fold}' is not '${_algo}'"
return 1
fi
+ # XXX: We'd need C-code in postconf to portably check for compatible "bits"
+}
+
+create_key() {
+ _algo=$1
+ _bits=$2
+ _fnew=$3
+ _umask=`umask`
- if [ $# -gt 0 ]; then
- (umask 077; read_key "$1" > "${newkey}") ||
- { rm "${newkey}"; return 1; }
+ case $_algo in
+ "") $FATAL "Internal error: empty algorithm"; return 1;;
+ $rsa) set -- "${openssl}" genrsa -out "${_fnew}" "${_bits}";;
+ $ecdsa) set -- "${openssl}" ecparam -param_enc named_curve -genkey \
+ -out "${_fnew}" -name "${_bits}";;
+ *) $FATAL "Internal error: bad algorithm '${_algo}'"
+ return 1;;
+ esac
+
+ umask 077
+ _err=`"$@" 2>&1`
+ _ret=$?
+ umask "${_umask}"
+
+ if [ "${_ret}" -ne 0 ]; then
+ echo "${_err}" | $WARN
+ $FATAL "error generating new ${_algo} ${_bits} private key"
+ return 1
fi
+}
- # Re-use any existing key
- #
- _newkey=
- if [ ! -f "${newkey}" ]; then
- _err=`umask 077; $openssl genrsa -out "${newkey}" 2048 2>&1` || {
- echo "$_err" | $WARN
- $FATAL "error generating new private key"
- rm -f "${newkey}"
- return 1
- }
- _newkey="${newkey}"
+create_cert() {
+ _k=$1; shift
+ _c=$1; shift
+ set_fqdn "$1"
+ if [ $# -gt 0 ]; then shift; fi
+ set -- "$fqdn" "$@"
+
+ if [ -r "${_c}" ]; then
+ $FATAL "New certificate file already exists: ${_c}"
+ return 1
fi
# Generate a new self-signed (~100 year) certificate
#
- printf "[req]\n%s\n%s\n[dn]\n%s\n[ext]\n%s\n%s\n%s\n[alt]\n%s\n" \
- "default_md = sha256" "distinguished_name = dn" "CN_default=" \
- "basicConstraints = CA:false" \
- "extendedKeyUsage = serverAuth" \
- "subjectAltName = @alt" "DNS=${fqdn}" |
- $openssl req -x509 -sha256 -new -key "${newkey}" -config $stdin \
- -extensions ext -subj "/CN=${fqdn}" -days 36525 -out "${newcert}" || {
- rm -f "${newcert}"
- if [ -n "${_newkey}" ]; then rm -f "${_newkey}"; fi
- $FATAL "error generating self-signed SSL certificate"
- return 1
+ (
+ echo "default_md = sha256"
+ echo "x509_extensions = v3"
+ echo "prompt = yes"
+ echo "distinguished_name = dn"
+ echo "[dn]"
+ echo "[v3]"
+ echo "basicConstraints = CA:false"
+ echo "subjectKeyIdentifier = hash"
+ echo "extendedKeyUsage = serverAuth, clientAuth"
+ echo "subjectAltName = @alts"
+ echo "[alts]"
+ i=1; for dns in "$@"; do
+ # XXX map empty to $myhostname
+ echo "DNS.$i = $dns"
+ i=`expr $i + 1`
+ done
+ ) | $openssl req -x509 -config $stdin -new -key "${_k}" \
+ -subj "/CN=$fqdn" -days 36525 -out "${_c}" || {
+ rm -f "${_c}" "${_k}"
+ $FATAL "error generating self-signed SSL certificate"
+ return 1
}
}
+output_server_csr() {
+ set_keyfile "$1" || return 1
+ shift
+ set_fqdn "$1" || return 1
+ shift
+ set -- "$fqdn" "$@"
+ (
+ echo "default_md = sha256"
+ echo "req_extensions = v3"
+ echo "prompt = yes"
+ echo "distinguished_name = dn"
+ echo "[dn]"
+ echo "[v3]"
+ echo "subjectKeyIdentifier = hash"
+ echo "extendedKeyUsage = serverAuth, clientAuth"
+ echo "subjectAltName = @alts"
+ echo "[alts]"
+ i=1; for dns in "$@"; do
+ echo "DNS.$i = $dns"
+ i=`expr $i + 1`
+ done
+ ) | $openssl req -config $stdin -new -key "$keyfile" -subj /
+}
+
+# ----- END OpenSSL-specific -----
+
+info_enable_client() {
+ cat <<-EOM
+ *** Non-default SMTP client TLS settings detected, no changes made.
+ For opportunistic TLS in the Postfix SMTP client, the below settings
+ are typical:
+ smtp_tls_security_level = may
+ smtp_tls_loglevel = 1
+ EOM
+ if get_cache_db_type dbtype
+ then
+ echo " smtp_tls_session_cache_database = ${dbtype}:\${data_directory}/smtp_scache"
+ fi
+}
+
+info_client_deployed() {
+ cat <<-EOM
+ Enabled opportunistic TLS in the Postfix SMTP client, run:
+ # postfix reload
+ if you want the new settings to take effect immediately.
+ EOM
+}
+
+info_enable_server() {
+ cat <<-EOM
+ *** Non-default SMTP server TLS settings detected, no changes made.
+ For opportunistic TLS in the Postfix SMTP server, the below settings
+ are typical:
+ smtpd_tls_security_level = may
+ smtpd_tls_loglevel = 1
+ You can use "postfix tls new-server-cert" to create a new certificate.
+ Or, "postfix tls new-server-key" to also force a new private key.
+ If you publish DANE TLSA records, see:
+ https://tools.ietf.org/html/rfc7671#section-8
+ https://tools.ietf.org/html/rfc7671#section-5.1
+ https://tools.ietf.org/html/rfc7671#section-5.2
+ https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_created() {
+ cat <<-EOM
+ New private key and self-signed certificate created. To deploy run:
+ # postfix tls deploy-server-cert $1 $2
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_server_deployed() {
+ if [ "$3" = "enable" ]; then
+ echo "Enabled opportunistic TLS in the Postfix SMTP server"
+ fi
+ cat <<-EOM
+ New TLS private key and certificate deployed, run:
+ # postfix reload
+ if you want the new settings to take effect immediately.
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_csr() {
+ cat <<-EOM
+ To generate a CSR run:
+ # postfix tls output-server-csr -k $2 [<hostname> ...]
+ EOM
+ if [ -z "$3" ]; then
+ echo "Save the signed certificate chain in ${config_directory}/$1, and deploy as above."
+ else
+ echo "Save the signed certificate chain in ${config_directory}/$1."
+ fi
+}
+
+# args: certfile keyfile deploy
+info_tlsa() {
+ # If already deployed, info for how to show all the deployed keys.
+ # Otherwise, just the new keys, so that TLSA records can be updated
+ # first.
+ if [ -n "$3" ]; then shift $#; fi
+ cat <<-EOM
+ To generate TLSA records run:
+ # postfix tls output-server-tlsa [-h <hostname>] $2
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_dane_dns() {
+ # If already deployed, too late to wait, otherwise advise updating TLSA
+ # RRs before deployment.
+ if [ -n "$3" ]; then
+ cat <<-EOM
+ (If you have DANE TLSA RRs, update them as soon as possible to match
+ the newly deployed keys).
+ EOM
+ else
+ cat <<-EOM
+ (deploy after updating the DNS and waiting for stale RRs to expire).
+ EOM
+ fi
+}
+
+set_fqdn() {
+ if [ -n "$1" ]; then fqdn=$1; return 0; fi
+ fqdn=`$postconf -xh myhostname` || return 1
+ case $fqdn in /*) fqdn=`cat "${fqdn}"` || return 1;; esac
+}
+
+set_keyfile() {
+ keyfile=$1
+ case $keyfile in
+ "") : empty ok;;
+ $rsa) keyfile=`$postconf -nxh smtpd_tls_key_file`;;
+ $ecdsa) keyfile=`$postconf -nxh smtpd_tls_eckey_file`;;
+ esac
+ if [ "${keyfile}" = "none" ]; then keyfile= ; fi
+}
+
+check_key() {
+ read_key "$1" >/dev/null && return 0
+ $FATAL "no private key found in file: $1"
+ return 1
+}
+
+# Create new key or copy existing if specified.
+#
+ensure_key() {
+ _algo=$1; shift
+ _bits=$1; shift
+ stamp=`TZ=UTC date +%Y%m%d-%H%M%S`
+
+ case $_algo in
+ "") $FATAL "Internal error: empty algorithm "; return 1;;
+ $rsa) keyfile="key-${stamp}.pem"; certfile="cert-${stamp}.pem";;
+ $ecdsa) keyfile="eckey-${stamp}.pem"; certfile="eccert-${stamp}.pem";;
+ *) $FATAL "Internal error: bad algorithm '${_algo}'"
+ return 1;;
+ esac
+
+ if [ -r "${keyfile}" ]; then
+ $FATAL "New private key file already exists: ${keyfile}"
+ return 1
+ fi
+ if [ -r "${certfile}" ]; then
+ $FATAL "New certificate file already exists: ${certfile}"
+ return 1
+ fi
+
+ if [ -n "$1" ]; then
+ copy_key "${_algo}" "${_bits}" "$1" "${keyfile}" && return 0
+ else
+ create_key "${_algo}" "${_bits}" "${keyfile}" && return 0
+ fi
+ rm -f "${keyfile}"
+ return 1
+}
+
init_random_source() {
- rnd=`$postconf -xh tls_random_source`
- if [ -n "$rnd" ]
- then
- return 0
+ tls_random_source=$1
+
+ if [ -z "${tls_random_source}" ]; then
+ tls_random_source=`$postconf -xh tls_random_source`
+ fi
+ if [ -n "${tls_random_source}" ]; then
+ return 0
fi
if [ -r /dev/urandom ]
then
- echo "Setting tls_random_source to dev:/dev/urandom"
- $postconf -e 'tls_random_source = dev:/dev/urandom' || exit 1
+ tls_random_source=dev:/dev/urandom
else
- $FATAL no default TLS random source defined and no /dev/urandom
- return 1
+ $FATAL no default TLS random source defined and no /dev/urandom
+ return 1
fi
}
-show_dane_info() {
- echo "If you publish DANE TLSA records, see https://tools.ietf.org/html/rfc7671#section-8.1"
-}
-
all_default() {
prefix=$1; shift
for var in "$@"
do
- val=`$postconf -nh "${prefix}${var}"`
- if [ -n "$val" ]; then return 1; fi
+ val=`$postconf -nh "${prefix}${var}"`
+ if [ -n "$val" ]; then return 1; fi
done
return 0
}
# Select read-write database type for TLS session caches.
#
-cache_dbtype() {
+get_cache_db_type() {
var=$1; shift
prio=0
ret=1
- dbtype=
for _dbtype in `$postconf -m`
do
- _prio=0
- case $_dbtype in
- lmdb) _prio=2;;
- btree) _prio=1;;
- esac
- if [ "$_prio" -gt "$prio" ]
- then
- eval "$var=\$_dbtype"
- prio=$_prio
- ret=0
- fi
+ _prio=0
+ case $_dbtype in
+ lmdb) _prio=2;;
+ btree) _prio=1;;
+ esac
+ if [ "$_prio" -gt "$prio" ]
+ then
+ eval "$var=\$_dbtype"
+ prio=$_prio
+ ret=0
+ fi
done
return $ret
}
+deploy_server_cert() {
+ certfile=$1; shift
+ keyfile=$1; shift
+ deploy=$1; shift
+
+ # Sets key_algo, key_param and cert_param
+ check_key "$keyfile" || return 1
+
+ cd=`cert_pubkey_dgst "${certfile}"` || {
+ $FATAL "error computing certificate public key digest"
+ return 1
+ }
+ kd=`pubkey_dgst "$keyfile"` || {
+ $FATAL "error computing public key digest"
+ return 1
+ }
+
+ if [ "$cd" != "$kd" ]; then
+ $FATAL "Certificate in ${certfile} does not match key in ${keyfile}"
+ return 1
+ fi
+
+ set -- \
+ "${key_param} = ${keyfile}" \
+ "${cert_param} = ${certfile}"
+
+ if [ "${deploy}" = "enable" ]; then
+ set -- "$@" \
+ "smtpd_tls_security_level = may" \
+ "smtpd_tls_received_header = yes" \
+ "smtpd_tls_loglevel = 1"
+ fi
+
+ if [ -n "${tls_random_source}" ]; then
+ set -- "$@" "tls_random_source = ${tls_random_source}"
+ fi
+
+ # All in one shot, since postconf delays modifying "hot" main.cf files.
+ $postconf -e "$@" || return 1
+}
+
+# Prepare a new cert and perhaps re-use any existing private key.
+#
+new_server_cert() {
+ algo=$1; shift
+ bits=$1; shift
+ oldkey=$1; shift
+ deploy=$1; shift
+
+ # resets keyfile (copy or else new) and new certfile
+ ensure_key "$algo" "$bits" "${oldkey}" || return 1
+ create_cert "${keyfile}" "${certfile}" "$@" || return 1
+ if [ -n "${deploy}" ]; then
+ deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 1
+ fi
+
+ (
+ if [ -z "${deploy}" ]; then
+ info_created "${certfile}" "${keyfile}" "${deploy}"
+ else
+ info_server_deployed "${certfile}" "${keyfile}" "${deploy}"
+ fi
+ info_csr "${certfile}" "${keyfile}" "${deploy}"
+ info_tlsa "${certfile}" "${keyfile}" "${deploy}"
+ if [ -z "${oldkey}" ]; then
+ info_dane_dns "${certfile}" "${keyfile}" "${deploy}"
+ fi
+ ) | $INFO
+}
+
enable_client() {
- init_random_source || return 1
if all_default smtp_ \
- use_tls enforce_tls tls_enforce_peername tls_security_level tls_cert_file
+ use_tls enforce_tls tls_enforce_peername tls_security_level tls_cert_file
then
- echo "Enabling opportunistic TLS in the Postfix SMTP client"
- if cache_dbtype dbtype
- then
- $postconf -e \
- "smtp_tls_security_level = may" \
- "smtp_tls_loglevel = 1" \
- "smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
- else
- $postconf -e \
- "smtp_tls_security_level = may" \
- "smtp_tls_loglevel = 1"
- fi
+ set -- \
+ "smtp_tls_security_level = may" \
+ "smtp_tls_loglevel = 1"
+
+ if get_cache_db_type dbtype
+ then
+ set -- "$@" \
+ "smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
+ fi
+
+ if [ -n "${tls_random_source}" ]; then
+ set -- "$@" "tls_random_source = ${tls_random_source}"
+ fi
+
+ # All in one shot, since postconf delays modifying "hot" main.cf files.
+ $postconf -e "$@" || return 1
+ info_client_deployed
else
- echo "*** Non-default SMTP client TLS settings detected."
- echo "To enable opportunistic TLS in the Postfix SMTP client: "
- echo "Set smtp_tls_security_level = may"
- echo "and smtp_tls_loglevel = 1"
- if cache_dbtype dbtype
- then
- echo "and smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
- fi
+ info_enable_client
fi | $INFO
}
enable_server() {
- init_random_source || exit 1
+ algo=$1; shift
+ bits=$1; shift
+
if all_default smtpd_ \
- use_tls enforce_tls tls_security_level tls_cert_file
+ use_tls enforce_tls tls_security_level tls_cert_file
then
- new_cert || exit 1
- echo "Enabling opportunistic TLS in the Postfix SMTP server"
- $postconf -e \
- "smtpd_tls_cert_file = ${conf_cert_file}" \
- "smtpd_tls_key_file = ${conf_key_file}" \
- "smtpd_tls_security_level = may" \
- "smtpd_tls_received_header = yes" \
- "smtpd_tls_loglevel = 1"
+ # algo bits keyfile deploy [hostnames ...]
+ new_server_cert "${algo}" "${bits}" "" "enable" "$@" || return 1
else
- echo "*** Non-default SMTP server TLS settings detected."
- echo "Enable TLS manually as appropriate."
- echo "Run \"postfix tls replace-cert\" to change your certificate"
- echo "or \"postfix tls replace-key\" to also change the private key."
- show_dane_info
- fi | $INFO
-}
-
-create_key() {
- # Prepare, but don't deploy, a new key.
- #
- new_cert || exit 1
- (echo "To use the new certificate in the Postfix SMTP server"
- echo "set smtpd_tls_key_file = ${conf_key_file}"
- echo "and smtpd_tls_cert_file = ${conf_cert_file}"
- show_dane_info) | $INFO
-}
-
-replace_key() {
- # Prepare *and* deploy a new key and certificate.
- #
- new_cert || exit 1
- $postconf -e \
- "smtpd_tls_key_file = ${conf_key_file}" \
- "smtpd_tls_cert_file = ${conf_cert_file}"
- $INFO "New TLS private key and certificate configured"
-}
-
-create_cert() {
- # Prepare, but don't deploy, a new cert,
- # re-use a private key if applicable
- #
- key=`$postconf -nxh smtpd_tls_key_file`
- new_cert ${key} || exit 1
- (echo "To use the new certificate in the Postfix SMTP server"
- echo "set smtpd_tls_key_file = ${conf_key_file}"
- echo "and smtpd_tls_cert_file = ${conf_cert_file}"
- show_dane_info) | $INFO
-}
-
-replace_cert() {
- # Prepare and deploy a new cert,
- # re-use a private key if applicable
- #
- key=`$postconf -nxh smtpd_tls_key_file`
- new_cert ${key} || exit 1
- $postconf -e \
- "smtpd_tls_key_file = ${conf_key_file}" \
- "smtpd_tls_cert_file = ${conf_cert_file}" || exit 1
- $INFO "New TLS private key and certificate configured"
-}
-
-gen_csr() {
- set_fqdn "$1" || return 1
- set_key "$2" || return 1
- $openssl req -new -sha256 -key "$key" -subj "/CN=$fqdn"
+ info_enable_server | $INFO
+ fi
}
-gen_tlsa() {
- set_fqdn "$1" || exit 1
- set_key "$2" || exit 1
- data=`pubkey_dgst "$key"`
+output_server_tlsa() {
+ hostname=$1
+ check_key "$2" || return 1
+ data=`pubkey_dgst "$2"` || return 1
if [ -z "$data" ]
then
- $FATAL error computing SHA2-256 SPKI digest of "$key"
- return 1
+ $FATAL error computing SHA2-256 SPKI digest of "$key"
+ return 1
fi
- echo "_25._tcp.$fqdn. IN TLSA 3 1 1 $data"
+ echo "_25._tcp.$hostname. IN TLSA 3 1 1 $data"
}
#
# Parse JCL
#
case $1 in
+enable-client)
+ cmd=$1; shift; OPTIND=1
+ rand=
+ while getopts :r: _opt
+ do
+ case $_opt in
+ r) rand="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-r devrandom]"
+ exit 1;;
+ esac
+ done
-enable-client) enable_client || exit 1;;
-enable-server) enable_server || exit 1;;
- create-key) create_key || exit 1;;
- create-cert) create_cert || exit 1;;
- replace-key) replace_key || exit 1;;
- replace-cert) replace_cert || exit 1;;
- gen-csr) shift; gen_csr "$@" || exit 1;;
- gen-tlsa) shift; gen_tlsa "$@" || exit 1;;
- *)
- $ERROR "unknown tls command: '$1'"
- $FATAL "usage: postfix tls enable-client (or enable-server, create-key, create-cert, replace-key, replace-cert, gen-csr, gen-tlsa)"
- exit 1;;
+ # No positional arguments supported with enable-client
+ if [ $# -ge "${OPTIND}" ]; then
+ $FATAL "usage: postfix tls $cmd [-r devrandom]"
+ exit 1
+ fi
+ # But, shift anyway
+ shift `expr $OPTIND - 1`
+
+ init_random_source "${rand}" || exit 1
+ enable_client || exit 1
+ ;;
+
+enable-server)
+ cmd=$1; shift; OPTIND=1
+ algo=$DEFALG
+ bits=
+ rand=
+ while getopts :a:b:r: _opt
+ do
+ case $_opt in
+ a) algo="${OPTARG}";;
+ b) bits="${OPTARG}";;
+ r) rand="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [-r devrandom] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ case $algo in
+ "") $FATAL "Internal error: empty algorithm "; return 1;;
+ $rsa) : ${bits:=${RSA_BITS}};;
+ $ecdsa) : ${bits:=${EC_CURVE}};;
+ *) $FATAL "Unsupported private key algorithm: $algo"
+ exit 1;;
+ esac
+
+ init_random_source "${rand}" || exit 1
+ enable_server "${algo}" "${bits}" "$@" || exit 1
+ ;;
+
+new-server-key)
+ cmd=$1; shift; OPTIND=1
+ algo=$DEFALG
+ while getopts :a:b: _opt
+ do
+ case $_opt in
+ a) algo="${OPTARG}";;
+ b) bits="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ case $algo in
+ "") $FATAL "Internal error: empty algorithm "; return 1;;
+ $rsa) : ${bits:=${RSA_BITS}};;
+ $ecdsa) : ${bits:=${EC_CURVE}};;
+ *) $FATAL "Unsupported public key algorithm: $algo"
+ exit 1;;
+ esac
+
+ # Force new key
+ new_server_cert "${algo}" "${bits}" "" "" "$@" || exit 1
+ ;;
+
+new-server-cert)
+ cmd=$1; shift; OPTIND=1
+ algo=$DEFALG
+ while getopts :a:b: _opt
+ do
+ case $_opt in
+ a) algo="${OPTARG}";;
+ b) bits="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ case $algo in
+ "") $FATAL "Invalid empty key algorithm"; exit 1;;
+ $rsa) : ${bits:=${RSA_BITS}};;
+ $ecdsa) : ${bits:=${EC_CURVE}};;
+ *) $FATAL "Unsupported private key algorithm: $algo"
+ exit 1;;
+ esac
+
+ # Existing keyfile or empty
+ set_keyfile "${algo}"
+
+ # Try to re-use (copy) existing key.
+ new_server_cert "${algo}" "${bits}" "${keyfile}" "" "$@" || exit 1
+ ;;
+
+deploy-server-cert)
+ if [ $# -ne 3 ]; then
+ $FATAL "usage: postfix tls $1 certfile keyfile"
+ exit 1
+ fi
+ shift
+ deploy_server_cert "$@" || exit 1
+ info_server_deployed "$1" "$2" "deploy" | $INFO
+ ;;
+
+output-server-csr)
+ cmd=$1; shift; OPTIND=1
+ k=
+ while getopts :k: _opt
+ do
+ case $_opt in
+ k) k="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-k keyfile] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ if [ -n "${k}" ]; then
+ set_keyfile "${k}"
+ else
+ for _algo in $rsa $ecdsa
+ do
+ set_keyfile "${_algo}"
+ if [ -n "${keyfile}" ]; then
+ break
+ fi
+ done
+ fi
+
+ if [ -z "${keyfile}" -o ! -r "${keyfile}" ]; then
+ $FATAL "No usable keyfile specified or configured"
+ exit 1
+ fi
+
+ # Default <hostname> from $myhostname
+ if [ $# -eq 0 ]; then
+ set_fqdn
+ set -- "$fqdn"
+ fi
+
+ # Output a CSR for the requested names
+ output_server_csr "$keyfile" "$@" || exit 1
+ ;;
+
+output-server-tlsa)
+ cmd=$1; shift; OPTIND=1
+ hostname=
+ while getopts :h: _opt
+ do
+ case $_opt in
+ h) hostname="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-h hostname] [keyfile ...]"
+ exit 1;;
+ esac
+ done
+ set_fqdn "${hostname}"
+
+ # Here positional arguments are keyfiles for which we ouput "3 1 1"
+ # TLSA RRs, as many keyfiles as the user wants. By default the live
+ # RSA and/or ECDSA keys.
+ shift `expr $OPTIND - 1`
+
+ if [ $# -eq 0 ]; then set -- $rsa $ecdsa; fi
+
+ found=
+ for _k in "$@"
+ do
+ set_keyfile "${_k}"
+ if [ -z "${keyfile}" ]; then continue; fi
+ echo "; ${keyfile}"
+ output_server_tlsa "${fqdn}" "${keyfile}" || exit 1
+ found=1
+ done
+ if [ -z "${found}" ]; then
+ $FATAL "No usable keyfiles specified or configured"
+ exit 1
+ fi
+ ;;
+
+*)
+ $ERROR "unknown tls command: '$1'"
+ $FATAL "usage: postfix tls enable-client (or enable-server, new-server-key, new-server-cert, deploy-server-cert, output-server-csr, output-server-tlsa)"
+ exit 1
+ ;;
esac
postqueue.1.html postsuper.1.html sendmail.1.html \
smtp-source.1.html smtp-sink.1.html posttls-finger.1.html \
qmqp-source.1.html qmqp-sink.1.html \
- qshape.1.html
+ qshape.1.html postfix-tls.1.html
CONFIG = access.5.html aliases.5.html canonical.5.html relocated.5.html \
transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \
cidr_table.5.html tcp_table.5.html header_checks.5.html \
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
+postfix-tls.1.html: ../conf/postfix-tls-script
+ PATH=../mantools:$$PATH; \
+ srctoman - $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
+
postkick.1.html: ../src/postkick/postkick.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
P.O. Box 704
Yorktown Heights, NY 10598, USA
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
CLEANUP(8)
</pre> </body> </html>
<b>postconf -t</b> [<b>-v</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>template</i><b>_</b><i>file</i>]
+ <b>Managing TLS features:</b>
+
+ <b>postconf</b> [<b>-v</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] <b>-T</b> <i>mode</i>
+
<b>Managing other configuration:</b>
<b>postconf -a</b>|<b>-A</b>|<b>-l</b>|<b>-m</b> [<b>-v</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>]
This feature is available with Postfix 2.3 and later.
+ <b>-T</b> <i>mode</i>
+ If Postfix is compiled without TLS support, the <b>-T</b> option pro-
+ duces no output. Otherwise, if an invalid <i>mode</i> is specified,
+ the <b>-T</b> option reports an error and exits with a non-zero status
+ code. The valid modes are:
+
+ <b>compile-version</b>
+ Output the OpenSSL version that Postfix was compiled with
+ (i.e. the OpenSSL version in a header file). The output
+ format is the same as with the command "<b>openssl version</b>".
+
+ <b>run-version</b>
+ Output the OpenSSL version that Postfix is linked with at
+ runtime (i.e. the OpenSSL version in a shared library).
+
+ <b>public-key-algorithms</b>
+ Output the lower-case names of the supported public-key
+ algorithms, one per-line.
+
+ This feature is available with Postfix 3.1 and later.
+
<b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b>
options make the software increasingly verbose.
<DT><b><a name="lmtp_address_verify_target">lmtp_address_verify_target</a>
(default: rcpt)</b></DT><DD>
-<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a>
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a>
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 3.0 and later. </p>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# NetBSD pkgsrc:
- openssl_path = /usr/pkg/bin/openssl
+ <a href="postconf.5.html#openssl_path">openssl_path</a> = /usr/pkg/bin/openssl
# Local build:
- openssl_path = /usr/local/bin/openssl
+ <a href="postconf.5.html#openssl_path">openssl_path</a> = /usr/local/bin/openssl
</pre>
</blockquote>
<li> <a href="postfix.1.html">postfix(1)</a>, Postfix control program
+<li> <a href="postfix-tls.1.html">postfix-tls(1)</a>, Postfix TLS management
+
<li> <a href="postkick.1.html">postkick(1)</a>, trigger Postfix daemon
<li> <a href="postlock.1.html">postlock(1)</a>, Postfix-compatible locking
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+<html> <head>
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+<title> Postfix manual - postfix-tls(1) </title>
+</head> <body> <pre>
+POSTFIX-TLS(1) POSTFIX-TLS(1)
+
+<b>NAME</b>
+ postfix-tls - Postfix TLS management
+
+<b>SYNOPSIS</b>
+ <b>postfix tls</b> <i>subcommand</i> <b>...</b>
+
+<b>DESCRIPTION</b>
+ The "<b>postfix tls</b> <i>subcommand</i> <b>...</b>" feature enables opportunistic TLS in
+ the Postfix SMTP client and/or server, and manages Postfix SMTP server
+ private keys and certificates.
+
+ The following subcommands are available:
+
+ <b>enable-client</b> [<b>-r</b> <i>randsource</i>]
+ Enable opportunistic TLS in the Postfix SMTP client, if all SMTP
+ client TLS settings are at their default values. Otherwise,
+ suggest parameter settings without making any changes.
+
+ Specify <i>randsource</i> to update the value of the <b><a href="postconf.5.html#tls_random_source">tls_random_source</a></b>
+ configuration parameter (typically, /dev/urandom). Prepend <b>dev:</b>
+ to device paths or <b>egd:</b> to EGD socket paths.
+
+ <b>enable-server</b> [<b>-r</b> <i>randsource</i>] [<b>-a</b> <i>algorithm</i>] [<b>-b</b> <i>bits</i>] [<i>hostname</i> <b>...</b>]
+ Create a new private key and self-signed server certificate and
+ enable opportunistic TLS in the Postfix SMTP server, if all SMTP
+ server TLS settings are at their default values. Otherwise,
+ suggest parameter settings without making any changes.
+
+ The <i>randsource</i> parameter is as with <b>enable-client</b> above, and the
+ remaining options are as with <b>new-server-key</b> below.
+
+ <b>new-server-key</b> [<b>-a</b> <i>algorithm</i>] [<b>-b</b> <i>bits</i>] [<i>hostname</i> <b>...</b>]
+ Create a new private key and self-signed server certificate, but
+ do not deploy them. Log and display commands to deploy the new
+ key and corresponding certificate. Also log and display com-
+ mands to output a corresponding CSR or TLSA records which may be
+ needed to obtain a CA certificate or to update DNS before the
+ new key can be deployed.
+
+ The <i>algorithm</i> defaults to <b>rsa</b>, and <i>bits</i> defaults to 2048. If
+ you choose the <b>ecdsa</b> <i>algorithm</i> then <i>bits</i> will be an EC curve
+ name (by default <b>secp256r1</b>, also known as prime256v1). Curves
+ other than <b>secp256r1</b>, <b>secp384r1</b> or <b>secp521r1</b> are unlikely to be
+ widely interoperable. When generating EC keys, use one of these
+ three. DSA keys are obsolete and are not supported.
+
+ Note: ECDSA support requires OpenSSL 1.0.0 or later and may not
+ be available on your system. Not all client systems will sup-
+ port ECDSA, so you'll generally want to deploy both RSA and
+ ECDSA certificates to make use of ECDSA with compatible clients
+ and RSA with the rest. If you want to deploy certificate chains
+ with intermediate CAs for both RSA and ECDSA, you'll want at
+ least OpenSSL 1.0.2, as earlier versions may not handle multiple
+ chain files correctly.
+
+ The first <i>hostname</i> argument will be the <b>CommonName</b> of both the
+ subject and issuer of the self-signed certificate. It, and any
+ additional <i>hostname</i> arguments, will also be listed as DNS alter-
+ native names in the certificate. If no <i>hostname</i> is provided the
+ value of the <b><a href="postconf.5.html#myhostname">myhostname</a></b> <a href="postconf.5.html">main.cf</a> parameter will be used.
+
+ For RSA, the generated private key and certificate files are
+ named <b>key-</b><i>yyyymmdd-hhmmss</i><b>.pem</b> and <b>cert-</b><i>yyyymmdd-hhmmss</i><b>.pem</b>,
+ where <i>yyyymmdd</i> is the calendar date and <i>hhmmss</i> is the time of
+ day in UTC. For ECDSA, the file names start with <b>eckey-</b> and
+ <b>eccert-</b> instead of <b>key-</b> and <b>cert-</b> respectively.
+
+ Before deploying the new key and certificate with DANE, update
+ the DNS with new DANE TLSA records, then wait for secondary
+ nameservers to update and then for stale records in remote DNS
+ caches to expire.
+
+ Before deploying a new CA certificate make sure to include all
+ the required intermediate issuing CA certificates in the cer-
+ tificate chain file. The server certificate must be the first
+ certificate in the chain file. Overwrite and deploy the file
+ with the original self-signed certificate that was generated
+ together with the key.
+
+ <b>new-server-cert</b> [<b>-a</b> <i>algorithm</i>] [<b>-b</b> <i>bits</i>] [<i>hostname</i> <b>...</b>]
+ This is just like <b>new-server-key</b> except that, rather than gener-
+ ating a new private key, any currently deployed private key is
+ copied to the new key file. Thus if you're publishing DANE TLSA
+ "3 1 1" or "3 1 2" records, there is no need to update DNS
+ records. The <i>algorithm</i> <b>and</b> <i>bits</i> arguments are used only if no
+ key of the same algorithm is already configured.
+
+ This command is rarely needed, because the self-signed certifi-
+ cates generated have a 100-year nominal expiration time. The
+ underlying public key algorithms may well be obsoleted by quan-
+ tum computers long before then.
+
+ The most plausible reason for using this command is when the
+ system hostname changes, and you'd like the name in the certifi-
+ cate to match the new hostname (not required for DANE "3 1 1",
+ but some needlessly picky non-DANE opportunistic TLS clients may
+ log warnings or even refuse to communicate).
+
+ <b>deploy-server-cert</b> <i>certfile keyfile</i>
+ This subcommand deploys the certificates in <i>certfile</i> and private
+ key in <i>keyfile</i> (which are typically generated by the commands
+ above, which will also log and display the full command needed
+ to deploy the generated key and certificate). After the new
+ certificate and key are deployed any obsolete keys and certifi-
+ cates may be removed by hand. The <i>keyfile</i> and <i>certfile</i> file-
+ names are relative to the Postfix configuration directory.
+
+ <b>output-server-csr</b> [<b>-k</b> <i>keyfile</i>] [<i>hostname</i>
+ Write to stdout a certificate signing request (CSR) for the
+ specified <i>keyfile</i>.
+
+ Instead of a filename, <i>keyfile</i> may specify one of the supported
+ key algorithm names (see "<b>postconf -T public-key-algorithms</b>").
+ In that case, the corresponding setting from <a href="postconf.5.html">main.cf</a> is used to
+ locate the <i>keyfile</i>. The default <i>keyfile</i> value is <b>rsa</b>.
+
+ Zero or more <i>hostname</i> values can be specified. The default
+ <i>hostname</i> is the value of <b><a href="postconf.5.html#myhostname">myhostname</a></b> <a href="postconf.5.html">main.cf</a> parameter.
+
+ <b>output-server-tlsa</b> [<b>-h</b> <i>hostname</i>] [<i>keyfile</i> <b>...</b>]
+ Write to stdout a DANE TLSA RRset suitable for a port 25 SMTP
+ server on host <i>hostname</i> with keys from any of the specified <i>key-</i>
+ <i>file</i> values. The default <i>hostname</i> is the value of the <b>myhost-</b>
+ <b>name</b> <a href="postconf.5.html">main.cf</a> parameter.
+
+ Instead of filenames, the <i>keyfile</i> list may specify names of sup-
+ ported public key algorithms (see "<b>postconf -T public-key-algo-</b>
+ <b>rithms</b>"). In that case, the actual <i>keyfile</i> list uses the values
+ of the corresponding Postfix server TLS key file parameters. If
+ a parameter value is empty or equal to <b>none</b>, then no TLSA record
+ is output for that algorithm.
+
+ The default <i>keyfile</i> list consists of the two supported algo-
+ rithms <b>rsa</b> and <b>ecdsa</b>.
+
+<b>CONFIGURATION PARAMETERS</b>
+ The "<b>postfix tls</b> <i>subcommand</i> <b>...</b>" feature reads or updates the following
+ configuration parameters.
+
+ <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
+ The location of all postfix administrative commands.
+
+ <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ figuration files.
+
+ <b><a href="postconf.5.html#openssl_path">openssl_path</a> (openssl)</b>
+ The location of the OpenSSL command line program <b>openssl</b>(1).
+
+ <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
+ Enable additional Postfix SMTP client logging of TLS activity.
+
+ <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
+ The default SMTP TLS security level for the Postfix SMTP client;
+ when a non-empty value is specified, this overrides the obsolete
+ parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and
+ <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
+
+ <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
+ Name of the file containing the optional Postfix SMTP client TLS
+ session cache.
+
+ <b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b>
+ File with the Postfix SMTP server RSA certificate in PEM format.
+
+ <b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b>
+ File with the Postfix SMTP server ECDSA certificate in PEM for-
+ mat.
+
+ <b><a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b>
+ File with the Postfix SMTP server ECDSA private key in PEM for-
+ mat.
+
+ <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
+ File with the Postfix SMTP server RSA private key in PEM format.
+
+ <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
+ Enable additional Postfix SMTP server logging of TLS activity.
+
+ <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
+ Request that the Postfix SMTP server produces Received: message
+ headers that include information about the protocol and cipher
+ used, as well as the remote SMTP client CommonName and client
+ certificate issuer CommonName.
+
+ <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
+ The SMTP TLS security level for the Postfix SMTP server; when a
+ non-empty value is specified, this overrides the obsolete param-
+ eters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
+
+ <b><a href="postconf.5.html#tls_random_source">tls_random_source</a> (see 'postconf -d' output)</b>
+ The external entropy source for the in-memory <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> pseudo
+ random number generator (PRNG) pool.
+
+<b>SEE ALSO</b>
+ <a href="master.8.html">master(8)</a> Postfix master program
+ <a href="postfix.1.html">postfix(1)</a> Postfix administrative interface
+
+<b>LICENSE</b>
+ The Secure Mailer license must be distributed with this software.
+
+<b>AUTHOR(S)</b>
+ Viktor Dukhovni
+
+ POSTFIX-TLS(1)
+</pre> </body> </html>
<b>status</b> Indicate if the Postfix mail system is currently running.
- <b>set-permissions [</b><i>name</i>=<i>value ...</i><b>]</b>
+ <b>set-permissions</b> [<i>name</i>=<i>value ...</i>]
Set the ownership and permissions of Postfix related files and
directories, as specified in the <b>postfix-files</b> file.
fix 2.0 and earlier, use "<b>$<a href="postconf.5.html#config_directory">config_directory</a>/post-install</b>
<b>set-permissions</b>".
- <b>tls</b> <i>subcommand...</i>
+ <b>tls</b> <i>subcommand</i> <b>...</b>
Enable opportunistic TLS in the Postfix SMTP client or server,
- or generate or replace Postfix SMTP server TLS private keys and
- certificates. See the section "TLS SUBCOMMANDS" below.
+ and manage Postfix SMTP server TLS private keys and certifi-
+ cates. See <a href="postfix-tls.1.html">postfix-tls(1)</a> for documentation.
This feature is available in Postfix 3.1 and later.
- <b>upgrade-configuration [</b><i>name</i>=<i>value ...</i><b>]</b>
+ <b>upgrade-configuration</b> [<i>name</i>=<i>value ...</i>]
Update the <a href="postconf.5.html"><b>main.cf</b></a> and <a href="master.5.html"><b>master.cf</b></a> files with information that
Postfix needs in order to run: add or update services, and add
or update configuration parameter settings.
<b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b>
options make the software increasingly verbose.
-<b>TLS SUBCOMMANDS</b>
- The "<b>postfix tls</b> <i>subcommand...</i>" feature implements the following sub-
- commands:
-
- <b>enable-client</b>
- Enable opportunistic TLS in the Postfix SMTP client, if all SMTP
- client TLS settings are at their default values. Otherwise, sug-
- gest parameter settings without making any changes.
-
- <b>enable-server</b>
- Create a new private key and self-signed server certificate.
- Enable opportunistic TLS in the Postfix SMTP server, if all SMTP
- server TLS settings are at their default values. Otherwise, sug-
- gest parameter settings without making any changes.
-
- <b>create-key</b>
- Create a new 2048-bit RSA private key and self-signed server
- certificate, but do not deploy them. Log and display suggested
- <a href="postconf.5.html">main.cf</a> settings to deploy the new key and certificate in the
- Postfix SMTP server.
-
- Before deploying the new key and certificate with DANE, use the
- command "<b>postfix tls gen-tlsa</b> <i>hostname keyfile</i>" to write recom-
- mended TLSA records to stdout. Update the DNS with new DANE
- TLSA records, then wait for secondary nameservers to update, and
- wait for stale records in remote DNS caches to expire.
-
- Before deploying the new key and certificate with PKI in the
- Postfix SMTP server, use the command "<b>postfix tls gen-csr</b>" to
- obtain a certificate signing request (CSR) for the new key, and
- replace the self-signed certificate with a CA-issued one before
- deployment.
-
- After taking zero or more of the above step(s), deploy the new
- key and certificate using the suggested <a href="postconf.5.html">main.cf</a> settings men-
- tioned above.
-
- <b>create-cert</b>
- This is just like <b>create-key</b> except that, rather than generating
- a new private key, any currently deployed private key is copied
- to the new key file. Thus if you're publishing DANE TLSA "3 1
- 1" records, there is no need to update DNS records.
-
- This command is rarely needed, because the certificates gener-
- ated have a 100-year nominal expiration time. The RSA algorithm
- may well be obsoleted by quantum computers long before then.
-
- The most plausible reason for using this command is when system
- hostname changes, and you'd like the name in the certificate to
- match the new hostname (not required for DANE "3 1 1", but some
- needlessly picky non-DANE opportunistic TLS clients may log
- warnings or even refuse to communicate).
-
- <b>replace-key</b>
- This is like <b>create-key</b>, but immediately deploys the new private
- key and self-signed server certificate. Obsolete keys and cer-
- tificates may be removed by hand. Files created with "<b>postfix</b>
- <b>tls</b>" commands are named key-<i>yyyymmdd-hhmmss</i>.pem and cert-<i>yyyym-</i>
- <i>mdd-hhmmss</i>.pem, where <i>yyyymmdd</i> is the calendar date and <i>hhmmss</i>
- is the time of day.
-
- <b>replace-cert</b>
- This is like <b>replace-key</b>, but copies any currently deployed pri-
- vate key if one exists, and immediately deploys the key and the
- new self-signed server certificate. This is safe with DANE TLSA
- "3 1 1" records. As noted before, replacement of just the cer-
- tificate is rarely needed.
-
- <b>gen-csr [</b><i>hostname</i><b>] [</b><i>keyfile</i><b>]</b>
- Write to stdout a certificate signing request (CSR) for the
- specified <i>hostname</i> (by default, the value of the <b><a href="postconf.5.html#myhostname">myhostname</a></b>
- <a href="postconf.5.html">main.cf</a> parameter) and private key file <i>keyfile</i> (by default, the
- value of the <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a></b> <a href="postconf.5.html">main.cf</a> parameter).
-
- <b>gen-tlsa [</b><i>hostname</i><b>] [</b><i>keyfile</i><b>]</b>
- Write to stdout a DANE TLSA record suitable for a port 25 SMTP
- server on host <i>hostname</i> (default: the value of the <b><a href="postconf.5.html#myhostname">myhostname</a></b>
- <a href="postconf.5.html">main.cf</a> parameter) with private key file <i>keyfile</i> (default: the
- value of the <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a></b> <a href="postconf.5.html">main.cf</a> parameter).
-
<b>ENVIRONMENT</b>
- The <a href="postfix.1.html"><b>postfix</b>(1)</a> command exports the following environment variables
+ The <a href="postfix.1.html"><b>postfix</b>(1)</a> command exports the following environment variables
before executing the <b>postfix-script</b> file:
<b>MAIL_CONFIG</b>
This is set when the -c command-line option is present.
With Postfix 2.6 and later, this environment variable forces the
- <a href="postfix.1.html">postfix(1)</a> command to operate on the specified Postfix instance
- only. This behavior is inherited by <a href="postfix.1.html">postfix(1)</a> commands that
+ <a href="postfix.1.html">postfix(1)</a> command to operate on the specified Postfix instance
+ only. This behavior is inherited by <a href="postfix.1.html">postfix(1)</a> commands that
run as a descendant of the current process.
<b>MAIL_VERBOSE</b>
ment variables with the same names:
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
The directory with Postfix support programs and daemon programs.
<b><a href="postconf.5.html#html_directory">html_directory</a> (see 'postconf -d' output)</b>
- The location of Postfix HTML files that describe how to build,
+ The location of Postfix HTML files that describe how to build,
configure or operate a specific Postfix subsystem or feature.
<b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
- The UNIX system account that owns the Postfix queue and most
+ The UNIX system account that owns the Postfix queue and most
Postfix daemon processes.
<b><a href="postconf.5.html#mailq_path">mailq_path</a> (see 'postconf -d' output)</b>
- Sendmail compatibility feature that specifies where the Postfix
+ Sendmail compatibility feature that specifies where the Postfix
<a href="mailq.1.html"><b>mailq</b>(1)</a> command is installed.
<b><a href="postconf.5.html#manpage_directory">manpage_directory</a> (see 'postconf -d' output)</b>
Where the Postfix manual pages are installed.
<b><a href="postconf.5.html#newaliases_path">newaliases_path</a> (see 'postconf -d' output)</b>
- Sendmail compatibility feature that specifies the location of
+ Sendmail compatibility feature that specifies the location of
the <a href="newaliases.1.html"><b>newaliases</b>(1)</a> command.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
configure or operate a specific Postfix subsystem or feature.
<b><a href="postconf.5.html#sendmail_path">sendmail_path</a> (see 'postconf -d' output)</b>
- A Sendmail compatibility feature that specifies the location of
+ A Sendmail compatibility feature that specifies the location of
the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command.
<b><a href="postconf.5.html#setgid_group">setgid_group</a> (postdrop)</b>
- The group ownership of set-gid Postfix commands and of
+ The group ownership of set-gid Postfix commands and of
group-writable Postfix directories.
Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#data_directory">data_directory</a> (see 'postconf -d' output)</b>
- The directory with Postfix-writable data files (for example:
+ The directory with Postfix-writable data files (for example:
caches, pseudo-random numbers).
Available in Postfix version 3.0 and later:
<b><a href="postconf.5.html#meta_directory">meta_directory</a> (see 'postconf -d' output)</b>
- The location of non-executable files that are shared among mul-
- tiple Postfix instances, such as postfix-files, dynamicmaps.cf,
- and
the multi-instance template files <a href="postconf.5.html">main.cf</a>.proto and <a href="master.5.html">mas-
+ The location of non-executable files that are shared among mul-
+ tiple Postfix instances, such as postfix-files, dynamicmaps.cf,
+ and
the multi-instance template files <a href="postconf.5.html">main.cf</a>.proto and <a href="master.5.html">mas-
ter.cf</a>.proto.
<b><a href="postconf.5.html#shlib_directory">shlib_directory</a> (see 'postconf -d' output)</b>
- The location of Postfix dynamically-linked libraries (libpost-
- fix-*.so), and the default location of Postfix database plugins
- (postfix-*.so) that have a relative pathname in the dynam-
+ The location of Postfix dynamically-linked libraries (libpost-
+ fix-*.so), and the default location of Postfix database plugins
+ (postfix-*.so) that have a relative pathname in the dynam-
icmaps.cf file.
+ Available in Postfix version 3.1 and later:
+
+ <b>openssl_path (openssl)</b>
+ The location of the OpenSSL command line program <b>openssl</b>(1).
+
Other configuration parameters:
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a Postfix process will
+ The list of environment parameters that a Postfix process will
import from a non-Postfix parent process.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- The mail system name that is prepended to the process name in
- syslog records, so that "smtpd" becomes, for example, "post-
+ The mail system name that is prepended to the process name in
+ syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd".
Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> (empty)</b>
- An optional list of non-default Postfix configuration directo-
- ries; these directories belong to additional Postfix instances
- that share the Postfix executable files and documentation with
- the default Postfix instance, and that are started, stopped,
+ An optional list of non-default Postfix configuration directo-
+ ries; these directories belong to additional Postfix instances
+ that share the Postfix executable files and documentation with
+ the default Postfix instance, and that are started, stopped,
etc., together with the default Postfix instance.
<b><a href="postconf.5.html#multi_instance_wrapper">multi_instance_wrapper</a> (empty)</b>
- The
pathname of a multi-instance manager command that the <a href="postfix.1.html"><b>post-</b></a>
- <a href="postfix.1.html"><b>fix</b>(1)</a>
command invokes when the <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
+ The
pathname of a multi-instance manager command that the <a href="postfix.1.html"><b>post-</b></a>
+ <a href="postfix.1.html"><b>fix</b>(1)</a>
command invokes when the <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
parameter value is non-empty.
<b><a href="postconf.5.html#multi_instance_group">multi_instance_group</a> (empty)</b>
The optional instance name of this Postfix instance.
<b><a href="postconf.5.html#multi_instance_enable">multi_instance_enable</a> (no)</b>
- Allow this Postfix instance to be started, stopped, etc., by a
+ Allow this Postfix instance to be started, stopped, etc., by a
multi-instance manager.
<b>FILES</b>
- Prior
to Postfix version 2.6, all of the following files were in <b>$<a href="postconf.5.html#config_directory">con</a>-</b>
+ Prior
to Postfix version 2.6, all of the following files were in <b>$<a href="postconf.5.html#config_directory">con</a>-</b>
<b><a href="postconf.5.html#config_directory">fig_directory</a></b>. Some files are now in <b>$<a href="postconf.5.html#daemon_directory">daemon_directory</a></b> so that they can
be shared among multiple instances that run the same Postfix version.
- Use
the command "<b>postconf <a href="postconf.5.html#config_directory">config_directory</a></b>" or "<b>postconf <a href="postconf.5.html#daemon_directory">daemon_direc</a>-</b>
+ Use
the command "<b>postconf <a href="postconf.5.html#config_directory">config_directory</a></b>" or "<b>postconf <a href="postconf.5.html#daemon_directory">daemon_direc</a>-</b>
<b><a href="postconf.5.html#daemon_directory">tory</a></b>" to expand the names into their actual values.
$<a href="postconf.5.html#config_directory">config_directory</a>/<a href="postconf.5.html">main.cf</a>, Postfix configuration parameters
<a href="postcat.1.html">postcat(1)</a>, examine Postfix queue file
<a href="postconf.1.html">postconf(1)</a>, Postfix configuration utility
<a href="postfix.1.html">postfix(1)</a>, Postfix control program
+ <a href="postfix-tls.1.html">postfix-tls(1)</a>, Postfix TLS management
<a href="postkick.1.html">postkick(1)</a>, trigger Postfix daemon
<a href="postlock.1.html">postlock(1)</a>, Postfix-compatible locking
<a href="postlog.1.html">postlog(1)</a>, Postfix-compatible logging
P.O. Box 704
Yorktown Heights, NY 10598, USA
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
TLS support by:
Lutz Jaenicke
Brandenburg University of Technology
P.O. Box 704
Yorktown Heights, NY 10598, USA
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
SASL support originally by:
Till Franke
SuSE Rhein/Main AG
# ;;
#esac
+#
+# We don't know all systems that have /dev/urandom, so we probe.
+#
+test -r /dev/urandom && CCARGS="$CCARGS -DHAS_DEV_URANDOM"
+
#
# PCRE 3.x has a pcre-config utility so we don't have to guess.
#
COMMANDS= man1/postalias.1 man1/postcat.1 man1/postconf.1 man1/postfix.1 \
man1/postkick.1 man1/postlock.1 man1/postlog.1 man1/postdrop.1 \
man1/postmap.1 man1/postmulti.1 man1/postqueue.1 man1/postsuper.1 \
- man1/sendmail.1 man1/mailq.1 man1/newaliases.1
+ man1/sendmail.1 man1/mailq.1 man1/newaliases.1 man1/postfix-tls.1
CONFIG = man5/access.5 man5/aliases.5 man5/canonical.5 man5/relocated.5 \
man5/transport.5 man5/virtual.5 man5/pcre_table.5 man5/regexp_table.5 \
man5/cidr_table.5 man5/tcp_table.5 man5/header_checks.5 \
(cmp -s junk $? || mv junk $?) && rm -f junk
../mantools/srctoman $? >$@
+man1/postfix-tls.1: ../conf/postfix-tls-script
+ ../mantools/fixman ../proto/postconf.proto $? >junk && \
+ (cmp -s junk $? || mv junk $?) && rm -f junk
+ ../mantools/srctoman - $? >$@
+
man1/postkick.1: ../src/postkick/postkick.c
../mantools/fixman ../proto/postconf.proto $? >junk && \
(cmp -s junk $? || mv junk $?) && rm -f junk
\fBpostconf\fR \fB\-t\fR [\fB\-v\fR] [\fB\-c \fIconfig_dir\fR]
[\fItemplate_file\fR]
+\fBManaging TLS features:\fR
+
+\fBpostconf\fR [\fB\-v\fR] [\fB\-c \fIconfig_dir\fR] \fB\-T \fImode\fR
+
\fBManaging other configuration:\fR
\fBpostconf\fR \fB\-a\fR|\fB\-A\fR|\fB\-l\fR|\fB\-m\fR [\fB\-v\fR]
line (in shell language: "").
This feature is available with Postfix 2.3 and later.
+.IP "\fB\-T \fImode\fB"
+If Postfix is compiled without TLS support, the \fB\-T\fR option
+produces no output. Otherwise, if an invalid \fImode\fR is specified,
+the \fB\-T\fR option reports an error and exits with a non\-zero status
+code. The valid modes are:
+.RS
+.IP \fBcompile\-version\fR
+Output the OpenSSL version that Postfix was compiled with
+(i.e. the OpenSSL version in a header file). The output
+format is the same as with the command "\fBopenssl version\fR".
+.IP \fBrun\-version\fR
+Output the OpenSSL version that Postfix is linked with at
+runtime (i.e. the OpenSSL version in a shared library).
+.IP \fBpublic\-key\-algorithms\fR
+Output the lower\-case names of the supported public\-key
+algorithms, one per\-line.
+.RE
+.IP
+This feature is available with Postfix 3.1 and later.
.IP \fB\-v\fR
Enable verbose logging for debugging purposes. Multiple
\fB\-v\fR options make the software increasingly verbose.
--- /dev/null
+.TH POSTFIX-TLS 1
+.ad
+.fi
+.SH NAME
+postfix-tls
+\-
+Postfix TLS management
+.SH "SYNOPSIS"
+.na
+.nf
+\fBpostfix tls\fR \fIsubcommand\fB ...\fR
+.SH DESCRIPTION
+.ad
+.fi
+The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature enables
+opportunistic TLS in the Postfix SMTP client and/or server,
+and manages Postfix SMTP server private keys and certificates.
+
+The following subcommands are available:
+.IP "\fBenable\-client\fR [\fB\-r \fIrandsource\fR]"
+Enable opportunistic TLS in the Postfix SMTP client, if all
+SMTP client TLS settings are at their default values.
+Otherwise, suggest parameter settings without making any
+changes.
+.sp
+Specify \fIrandsource\fR to update the value of the
+\fBtls_random_source\fR configuration parameter (typically,
+/dev/urandom). Prepend \fBdev:\fR to device paths or
+\fBegd:\fR to EGD socket paths.
+.IP "\fBenable\-server\fR [\fB\-r \fIrandsource\fR] [\fB\-a \fIalgorithm\fR] [\fB\-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+Create a new private key and self\-signed server certificate
+and enable opportunistic TLS in the Postfix SMTP server,
+if all SMTP server TLS settings are at their default values.
+Otherwise, suggest parameter settings without making any
+changes.
+.sp
+The \fIrandsource\fR parameter is as with \fBenable\-client\fR
+above, and the remaining options are as with \fBnew\-server\-key\fR
+below.
+.IP "\fBnew\-server\-key\fR [\fB\-a \fIalgorithm\fR] [\fB\-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+Create a new private key and self\-signed server certificate,
+but do not deploy them. Log and display commands to deploy
+the new key and corresponding certificate. Also log and
+display commands to output a corresponding CSR or TLSA
+records which may be needed to obtain a CA certificate or
+to update DNS before the new key can be deployed.
+.sp
+The \fIalgorithm\fR defaults to \fBrsa\fR, and \fIbits\fR
+defaults to 2048. If you choose the \fBecdsa\fR \fIalgorithm\fR
+then \fIbits\fR will be an EC curve name (by default
+\fBsecp256r1\fR, also known as prime256v1). Curves other
+than \fBsecp256r1\fR, \fBsecp384r1\fR or \fBsecp521r1\fR
+are unlikely to be widely interoperable. When generating
+EC keys, use one of these three. DSA keys are obsolete and
+are not supported.
+.sp
+Note: ECDSA support requires OpenSSL 1.0.0 or later and may
+not be available on your system. Not all client systems
+will support ECDSA, so you'll generally want to deploy both
+RSA and ECDSA certificates to make use of ECDSA with
+compatible clients and RSA with the rest. If you want to
+deploy certificate chains with intermediate CAs for both
+RSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier
+versions may not handle multiple chain files correctly.
+.sp
+The first \fIhostname\fR argument will be the \fBCommonName\fR
+of both the subject and issuer of the self\-signed certificate.
+It, and any additional \fIhostname\fR arguments, will also
+be listed as DNS alternative names in the certificate. If
+no \fIhostname\fR is provided the value of the \fBmyhostname\fR
+main.cf parameter will be used.
+.sp
+For RSA, the generated private key and certificate files
+are named \fBkey\-\fIyyyymmdd\-hhmmss\fB.pem\fR and
+\fBcert\-\fIyyyymmdd\-hhmmss\fB.pem\fR, where \fIyyyymmdd\fR
+is the calendar date and \fIhhmmss\fR is the time of day
+in UTC. For ECDSA, the file names start with \fBeckey\-\fR
+and \fBeccert\-\fR instead of \fBkey\-\fR and \fBcert\-\fR
+respectively.
+.sp
+Before deploying the new key and certificate with DANE,
+update the DNS with new DANE TLSA records, then wait for
+secondary nameservers to update and then for stale records
+in remote DNS caches to expire.
+.sp
+Before deploying a new CA certificate make sure to include
+all the required intermediate issuing CA certificates in
+the certificate chain file. The server certificate must
+be the first certificate in the chain file. Overwrite and
+deploy the file with the original self\-signed certificate
+that was generated together with the key.
+.IP "\fBnew\-server\-cert\fR [\fB\-a \fIalgorithm\fR] [\fB\-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+This is just like \fBnew\-server\-key\fR except that, rather
+than generating a new private key, any currently deployed
+private key is copied to the new key file. Thus if you're
+publishing DANE TLSA "3 1 1" or "3 1 2" records, there is
+no need to update DNS records. The \fIalgorithm\fB and
+\fIbits\fR arguments are used only if no key of the same
+algorithm is already configured.
+.sp
+This command is rarely needed, because the self\-signed
+certificates generated have a 100\-year nominal expiration
+time. The underlying public key algorithms may well be
+obsoleted by quantum computers long before then.
+.sp
+The most plausible reason for using this command is when
+the system hostname changes, and you'd like the name in the
+certificate to match the new hostname (not required for
+DANE "3 1 1", but some needlessly picky non\-DANE opportunistic
+TLS clients may log warnings or even refuse to communicate).
+.IP "\fBdeploy\-server\-cert \fIcertfile\fB \fIkeyfile\fR"
+This subcommand deploys the certificates in \fIcertfile\fR
+and private key in \fIkeyfile\fR (which are typically
+generated by the commands above, which will also log and
+display the full command needed to deploy the generated key
+and certificate). After the new certificate and key are
+deployed any obsolete keys and certificates may be removed
+by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames
+are relative to the Postfix configuration directory.
+.IP "\fBoutput\-server\-csr\fR [\fB\-k \fIkeyfile\fR] [\fIhostname\fB
+...\fR]"
+Write to stdout a certificate signing request (CSR) for the
+specified \fIkeyfile\fR.
+.sp
+Instead of a filename, \fIkeyfile\fR may specify one of the
+supported key algorithm names (see "\fBpostconf \-T
+public\-key\-algorithms\fR"). In that case, the corresponding
+setting from main.cf is used to locate the \fIkeyfile\fR.
+The default \fIkeyfile\fR value is \fBrsa\fR.
+.sp
+Zero or more \fIhostname\fR values can be specified. The
+default \fIhostname\fR is the value of \fBmyhostname\fR
+main.cf parameter.
+.IP "\fBoutput\-server\-tlsa\fR [\fB\-h \fIhostname\fR] [\fIkeyfile\fB ...\fR]"
+Write to stdout a DANE TLSA RRset suitable for a port 25
+SMTP server on host \fIhostname\fR with keys from any of
+the specified \fIkeyfile\fR values. The default \fIhostname\fR
+is the value of the \fBmyhostname\fR main.cf parameter.
+.sp
+Instead of filenames, the \fIkeyfile\fR list may specify
+names of supported public key algorithms (see "\fBpostconf
+\-T public\-key\-algorithms\fR"). In that case, the actual
+\fIkeyfile\fR list uses the values of the corresponding
+Postfix server TLS key file parameters. If a parameter
+value is empty or equal to \fBnone\fR, then no TLSA record
+is output for that algorithm.
+.sp
+The default \fIkeyfile\fR list consists of the two supported
+algorithms \fBrsa\fR and \fBecdsa\fR.
+.SH "CONFIGURATION PARAMETERS"
+.na
+.nf
+.ad
+.fi
+The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature reads
+or updates the following configuration parameters.
+.IP "\fBcommand_directory (see 'postconf -d' output)\fR"
+The location of all postfix administrative commands.
+.IP "\fBconfig_directory (see 'postconf -d' output)\fR"
+The default location of the Postfix main.cf and master.cf
+configuration files.
+.IP "\fBopenssl_path (openssl)\fR"
+The location of the OpenSSL command line program \fBopenssl\fR(1).
+.IP "\fBsmtp_tls_loglevel (0)\fR"
+Enable additional Postfix SMTP client logging of TLS activity.
+.IP "\fBsmtp_tls_security_level (empty)\fR"
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non\-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+.IP "\fBsmtp_tls_session_cache_database (empty)\fR"
+Name of the file containing the optional Postfix SMTP client
+TLS session cache.
+.IP "\fBsmtpd_tls_cert_file (empty)\fR"
+File with the Postfix SMTP server RSA certificate in PEM format.
+.IP "\fBsmtpd_tls_eccert_file (empty)\fR"
+File with the Postfix SMTP server ECDSA certificate in PEM format.
+.IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
+File with the Postfix SMTP server ECDSA private key in PEM format.
+.IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
+File with the Postfix SMTP server RSA private key in PEM format.
+.IP "\fBsmtpd_tls_loglevel (0)\fR"
+Enable additional Postfix SMTP server logging of TLS activity.
+.IP "\fBsmtpd_tls_received_header (no)\fR"
+Request that the Postfix SMTP server produces Received: message
+headers that include information about the protocol and cipher used,
+as well as the remote SMTP client CommonName and client certificate issuer
+CommonName.
+.IP "\fBsmtpd_tls_security_level (empty)\fR"
+The SMTP TLS security level for the Postfix SMTP server; when
+a non\-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls.
+.IP "\fBtls_random_source (see 'postconf -d' output)\fR"
+The external entropy source for the in\-memory \fBtlsmgr\fR(8) pseudo
+random number generator (PRNG) pool.
+.SH "SEE ALSO"
+.na
+.nf
+master(8) Postfix master program
+postfix(1) Postfix administrative interface
+.SH "LICENSE"
+.na
+.nf
+.ad
+.fi
+The Secure Mailer license must be distributed with this software.
+.SH "AUTHOR(S)"
+.na
+.nf
+Viktor Dukhovni
earliest convenience.
.IP \fBstatus\fR
Indicate if the Postfix mail system is currently running.
-.IP "\fBset\-permissions\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+.IP "\fBset\-permissions\fR [\fIname\fR=\fIvalue ...\fR]
Set the ownership and permissions of Postfix related files and
directories, as specified in the \fBpostfix\-files\fR file.
.sp
This feature is available in Postfix 2.1 and later. With
Postfix 2.0 and earlier, use "\fB$config_directory/post\-install
set\-permissions\fR".
-.IP "\fBtls\fR \fIsubcommand...\fB\fR
-Enable opportunistic TLS in the Postfix SMTP client or server,
-or generate or replace Postfix SMTP server TLS private keys
-and certificates. See the section "TLS SUBCOMMANDS" below.
+.IP "\fBtls\fR \fIsubcommand\fB ...\fR
+Enable opportunistic TLS in the Postfix SMTP client or
+server, and manage Postfix SMTP server TLS private keys and
+certificates. See postfix\-tls(1) for documentation.
.sp
This feature is available in Postfix 3.1 and later.
-.IP "\fBupgrade\-configuration\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+.IP "\fBupgrade\-configuration\fR [\fIname\fR=\fIvalue ...\fR]
Update the \fBmain.cf\fR and \fBmaster.cf\fR files with information
that Postfix needs in order to run: add or update services, and add
or update configuration parameter settings.
.IP \fB\-v\fR
Enable verbose logging for debugging purposes. Multiple \fB\-v\fR
options make the software increasingly verbose.
-.SH "TLS SUBCOMMANDS"
-.na
-.nf
-.ad
-.fi
-The "\fBpostfix tls \fIsubcommand...\fR" feature implements the
-following subcommands:
-.IP "\fBenable\-client\fR"
-Enable opportunistic TLS in the Postfix SMTP client, if all SMTP
-client TLS settings are at their default values. Otherwise,
-suggest parameter settings without making any changes.
-.IP "\fBenable\-server\fR"
-Create a new private key and self\-signed server certificate.
-Enable opportunistic TLS in the Postfix SMTP server, if all
-SMTP server TLS settings are at their default values. Otherwise,
-suggest parameter settings without making any changes.
-.IP "\fBcreate\-key\fR"
-Create a new 2048\-bit RSA private key and self\-signed server
-certificate, but do not deploy them. Log and display suggested
-main.cf settings to deploy the new key and certificate in
-the Postfix SMTP server.
-.sp
-Before deploying the new key and certificate with DANE, use the
-command "\fBpostfix tls gen\-tlsa \fIhostname keyfile\fR"
-to write recommended TLSA records to stdout.
-Update the DNS with new DANE TLSA records, then wait for
-secondary nameservers to update, and wait for stale records in
-remote DNS caches to expire.
-.sp
-Before deploying the new key and certificate with PKI in
-the Postfix SMTP server, use the command "\fBpostfix tls
-gen\-csr\fR" to obtain a certificate signing request (CSR)
-for the new key, and replace the self\-signed certificate
-with a CA\-issued one before deployment.
-.IP
-After taking zero or more of the above step(s), deploy the
-new key and certificate using the suggested main.cf settings
-mentioned above.
-.IP "\fBcreate\-cert\fR"
-This is just like \fBcreate\-key\fR except that, rather than
-generating a new private key, any currently deployed private
-key is copied to the new key file. Thus if you're publishing
-DANE TLSA "3 1 1" records, there is no need to update DNS records.
-.sp
-This command is rarely needed, because the certificates generated
-have a 100\-year nominal expiration time. The RSA algorithm may
-well be obsoleted by quantum computers long
-before then.
-.sp
-The most plausible reason for using this command is when
-system hostname changes, and you'd like the name in the
-certificate to match the new hostname (not required for
-DANE "3 1 1", but some needlessly picky non\-DANE opportunistic
-TLS clients may log warnings or even refuse to communicate).
-.IP "\fBreplace\-key\fR"
-This is like \fBcreate\-key\fR, but immediately deploys
-the new private key and self\-signed server certificate.
-Obsolete keys and certificates may be removed by hand. Files
-created with "\fBpostfix tls\fR" commands are named
-key\-\fIyyyymmdd\-hhmmss\fR.pem and cert\-\fIyyyymmdd\-hhmmss\fR.pem,
-where \fIyyyymmdd\fR is the calendar date and \fIhhmmss\fR
-is the time of day.
-.IP "\fBreplace\-cert\fR"
-This is like \fBreplace\-key\fR, but copies any currently
-deployed private key if one exists, and immediately deploys
-the key and the new self\-signed server certificate. This
-is safe with DANE TLSA "3 1 1" records. As noted before,
-replacement of just the certificate is rarely needed.
-.IP "\fBgen\-csr [\fIhostname\fB] [\fIkeyfile\fB]\fR"
-Write to stdout a certificate signing request (CSR) for the
-specified \fIhostname\fR (by default, the value of the
-\fBmyhostname\fR main.cf parameter) and private key file
-\fIkeyfile\fR (by default, the value of the
-\fBsmtpd_tls_key_file\fR main.cf parameter).
-.IP "\fBgen\-tlsa [\fIhostname\fB] [\fIkeyfile\fB]\fR"
-Write to stdout a DANE TLSA record suitable for a port 25
-SMTP server on host \fIhostname\fR (default: the value of
-the \fBmyhostname\fR main.cf parameter) with private key
-file \fIkeyfile\fR (default: the value of the
-\fBsmtpd_tls_key_file\fR main.cf parameter).
.SH "ENVIRONMENT"
.na
.nf
plugins (postfix\-*.so) that have a relative pathname in the
dynamicmaps.cf file.
.PP
+Available in Postfix version 3.1 and later:
+.IP "\fBopenssl_path (openssl)\fR"
+The location of the OpenSSL command line program \fBopenssl\fR(1).
+.PP
Other configuration parameters:
.IP "\fBimport_environment (see 'postconf -d' output)\fR"
The list of environment parameters that a Postfix process will
postcat(1), examine Postfix queue file
postconf(1), Postfix configuration utility
postfix(1), Postfix control program
+postfix\-tls(1), Postfix TLS management
postkick(1), trigger Postfix daemon
postlock(1), Postfix\-compatible locking
postlog(1), Postfix\-compatible logging
P.O. Box 704
Yorktown Heights, NY 10598, USA
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
+
TLS support by:
Lutz Jaenicke
Brandenburg University of Technology
.PP
This feature is available in Postfix 2.8 and later.
.SH lmtp_address_verify_target (default: rcpt)
-The LMTP\-specific version of the smtp_dns_support_level
+The LMTP\-specific version of the smtp_address_verify_target
configuration parameter. See there for details.
.PP
This feature is available in Postfix 3.0 and later.
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
+
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
P.O. Box 704
Yorktown Heights, NY 10598, USA
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
+
SASL support originally by:
Till Franke
SuSE Rhein/Main AG
s;\bnewaliases_path\b;<a href="postconf.5.html#newaliases_path">$&</a>;g;
s;\bnon_fqdn_reject_code\b;<a href="postconf.5.html#non_fqdn_reject_code">$&</a>;g;
s;\bnotify_classes\b;<a href="postconf.5.html#notify_classes">$&</a>;g;
+ s;\bopenssl_path\b;<a href="postconf.5.html#openssl_path">$&</a>;g;
s;\bowner_request_special\b;<a href="postconf.5.html#owner_request_special">$&</a>;g;
s;\bpar[-</bB>]*\n* *[<bB>]*ent_domain_matches_subdomains\b;<a href="postconf.5.html#parent_domain_matches_subdomains">$&</a>;g;
s;\bpermit_mx_backup_networks\b;<a href="postconf.5.html#permit_mx_backup_networks">$&</a>;g;
s/[<bB>]*post[-<\/bB>]*\n*[ <bB>]*conf[<\/bB>]*\(1\)/<a href="postconf.1.html">$&<\/a>/g;
s/[<bB>]*postdrop[<\/bB>]*\(1\)/<a href="postdrop.1.html">$&<\/a>/g;
s/[<bB>]*post[-<\/bB>]*\n* *[<bB>]*fix[<\/bB>]*\(1\)/<a href="postfix.1.html">$&<\/a>/g;
+ s/[<bB>]*post[-<\/bB>]*\n* *[<bB>]*fix-tls[<\/bB>]*\(1\)/<a href="postfix-tls.1.html">$&<\/a>/g;
s/[<bB>]*postkick[<\/bB>]*\(1\)/<a href="postkick.1.html">$&<\/a>/g;
s/[<bB>]*postlock[<\/bB>]*\(1\)/<a href="postlock.1.html">$&<\/a>/g;
s/[<bB>]*postlog[<\/bB>]*\(1\)/<a href="postlog.1.html">$&<\/a>/g;
%PARAM lmtp_address_verify_target rcpt
-<p> The LMTP-specific version of the smtp_dns_support_level
+<p> The LMTP-specific version of the smtp_address_verify_target
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 3.0 and later. </p>
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20160117"
+#define MAIL_RELEASE_DATE "20160206"
#define MAIL_VERSION_NUMBER "3.1"
#ifdef SNAPSHOT
#define BAD_SMTP (-1)
#define BAD_MACRO (-2)
-static struct test_case test_cases[] = {
+static const struct test_case test_cases[] = {
{"missing reply", "", NO_TEMPLATE, NO_FILTER, BAD_SMTP, 0},
{"long smtp_code", "1234 foo", NO_TEMPLATE, NO_FILTER, BAD_SMTP, 0},
{"short smtp_code", "12 foo", NO_TEMPLATE, NO_FILTER, BAD_SMTP, 0},
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
SAMPLES = ../../conf/main.cf.default
INC_DIR = ../../include
LIBS = ../../lib/libxsasl.a \
+ ../../lib/lib$(LIB_PREFIX)tls$(LIB_SUFFIX) \
+ ../../lib/lib$(LIB_PREFIX)dns$(LIB_SUFFIX) \
../../lib/lib$(LIB_PREFIX)global$(LIB_SUFFIX) \
../../lib/lib$(LIB_PREFIX)util$(LIB_SUFFIX)
postconf_other.o: ../../include/argv.h
postconf_other.o: ../../include/check_arg.h
postconf_other.o: ../../include/dict.h
+postconf_other.o: ../../include/dns.h
postconf_other.o: ../../include/htable.h
postconf_other.o: ../../include/mbox_conf.h
+postconf_other.o: ../../include/myaddrinfo.h
postconf_other.o: ../../include/myflock.h
postconf_other.o: ../../include/name_code.h
+postconf_other.o: ../../include/name_mask.h
+postconf_other.o: ../../include/sock_addr.h
postconf_other.o: ../../include/sys_defs.h
+postconf_other.o: ../../include/tls.h
postconf_other.o: ../../include/vbuf.h
postconf_other.o: ../../include/vstream.h
postconf_other.o: ../../include/vstring.h
/* \fBpostconf\fR \fB-t\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR]
/* [\fItemplate_file\fR]
/*
+/* \fBManaging TLS features:\fR
+/*
+/* \fBpostconf\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-T \fImode\fR
+/*
/* \fBManaging other configuration:\fR
/*
/* \fBpostconf\fR \fB-a\fR|\fB-A\fR|\fB-l\fR|\fB-m\fR [\fB-v\fR]
/* line (in shell language: "").
/*
/* This feature is available with Postfix 2.3 and later.
+/* .IP "\fB-T \fImode\fB"
+/* If Postfix is compiled without TLS support, the \fB-T\fR option
+/* produces no output. Otherwise, if an invalid \fImode\fR is specified,
+/* the \fB-T\fR option reports an error and exits with a non-zero status
+/* code. The valid modes are:
+/* .RS
+/* .IP \fBcompile-version\fR
+/* Output the OpenSSL version that Postfix was compiled with
+/* (i.e. the OpenSSL version in a header file). The output
+/* format is the same as with the command "\fBopenssl version\fR".
+/* .IP \fBrun-version\fR
+/* Output the OpenSSL version that Postfix is linked with at
+/* runtime (i.e. the OpenSSL version in a shared library).
+/* .IP \fBpublic-key-algorithms\fR
+/* Output the lower-case names of the supported public-key
+/* algorithms, one per-line.
+/* .RE
+/* .IP
+/* This feature is available with Postfix 3.1 and later.
/* .IP \fB-v\fR
/* Enable verbose logging for debugging purposes. Multiple
/* \fB-v\fR options make the software increasingly verbose.
/* Major modes. */
PCF_SHOW_SASL_SERV | PCF_SHOW_SASL_CLNT | PCF_EXP_DSN_TEMPL \
|PCF_SHOW_LOCKS | PCF_SHOW_MAPS | PCF_DUMP_DSN_TEMPL | PCF_MAIN_PARAM \
- |PCF_MASTER_ENTRY | PCF_MASTER_FLD | PCF_MASTER_PARAM,
+ |PCF_MASTER_ENTRY | PCF_MASTER_FLD | PCF_MASTER_PARAM | PCF_SHOW_TLS,
/* Modifiers. */
PCF_SHOW_DEFS | PCF_EDIT_CONF | PCF_SHOW_NONDEF | PCF_COMMENT_OUT \
|PCF_EDIT_EXCL,
{PCF_EXP_DSN_TEMPL, 0},
{PCF_SHOW_LOCKS, 0},
{PCF_SHOW_MAPS, 0,},
+ {PCF_SHOW_TLS, 0,},
{PCF_DUMP_DSN_TEMPL, 0},
{PCF_MAIN_PARAM, (PCF_EDIT_CONF | PCF_EDIT_EXCL | PCF_COMMENT_OUT \
|PCF_FOLD_LINE | PCF_HIDE_NAME | PCF_PARAM_CLASS \
"-p", PCF_MAIN_PARAM,
"-P", PCF_MASTER_PARAM,
"-t", PCF_DUMP_DSN_TEMPL,
+ "-T", PCF_SHOW_TLS,
"-x", PCF_SHOW_EVAL,
"-X", PCF_EDIT_EXCL,
"-#", PCF_COMMENT_OUT,
" [-p (main.cf, default)]"
" [-P (master.cf parameters)]"
" [-t (bounce templates)]"
+ " [-T compile-version|run-version|public-key-algorithms]"
" [-v (verbose)]"
" [-x (expand parameter values)]"
" [-X (exclude)]"
0,
};
ARGV *override_params = 0;
+ const char *pcf_tls_arg = 0;
/*
* Fingerprint executables and core dumps.
/*
* Parse JCL.
*/
- while ((ch = GETOPT(argc, argv, "aAbc:C:deEfFhHlmMno:pPtvxX#")) > 0) {
+ while ((ch = GETOPT(argc, argv, "aAbc:C:deEfFhHlmMno:pPtT:vxX#")) > 0) {
switch (ch) {
case 'a':
pcf_cmd_mode |= PCF_SHOW_SASL_SERV;
ext_argv = argv_alloc(2);
argv_add(ext_argv, "bounce", "-SVndump_templates", (char *) 0);
break;
+ case 'T':
+ if (pcf_cmd_mode & PCF_SHOW_TLS)
+ msg_fatal("At most one -T <mode> option may be specified");
+ pcf_cmd_mode |= PCF_SHOW_TLS;
+ pcf_tls_arg = optarg;
+ break;
case 'x':
pcf_cmd_mode |= PCF_SHOW_EVAL;
break;
pcf_show_sasl(PCF_SHOW_SASL_CLNT);
}
+ /*
+ * Show TLS info and exit.
+ */
+ else if (pcf_cmd_mode & PCF_SHOW_TLS) {
+ pcf_show_tls(pcf_tls_arg);
+ }
+
/*
* Edit main.cf or master.cf.
*/
#define PCF_DUMP_DSN_TEMPL (1<<18) /* show bounce templates */
#define PCF_MASTER_PARAM (1<<19) /* manage master.cf -o name=value */
#define PCF_HIDE_VALUE (1<<20) /* hide main.cf/master.cf =value */
+#define PCF_SHOW_TLS (1<<21) /* TLS support introspection */
#define PCF_DEF_MODE 0
extern void pcf_show_maps(void);
extern void pcf_show_locks(void);
extern void pcf_show_sasl(int);
+extern void pcf_show_tls(const char *);
/* LICENSE
/* .ad
/*
/* void pcf_show_sasl(mode)
/* int mode;
+/*
+/* void pcf_show_tls(what)
+/* const char *what;
/* DESCRIPTION
/* pcf_show_maps() lists the available map (lookup table)
/* types.
/* pcf_show_sasl() shows the available SASL authentication
/* plugin types.
/*
+/* pcf_show_tls() reports the "compile-version" or "run-version"
+/* of the TLS library, or the supported public-key algorithms.
+/*
/* Arguments:
/* .IP mode
/* Show server information if the PCF_SHOW_SASL_SERV flag is
/* set, otherwise show client information.
+/* .IP what
+/* One of the literals "compile-version", "run-version" or
+/* "public-key-algorithms".
/* DIAGNOSTICS
/* Problems are reported to the standard error stream.
/* LICENSE
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
#include <vstream.h>
#include <argv.h>
#include <dict.h>
+#include <msg.h>
/* Global library. */
#include <xsasl.h>
+/* TLS library. */
+
+#include <tls.h>
+
/* Application-specific. */
#include <postconf.h>
vstream_printf("%s\n", sasl_argv->argv[i]);
argv_free(sasl_argv);
}
+
+/* pcf_show_tls - show TLS support */
+
+void pcf_show_tls(const char *what)
+{
+#ifdef USE_TLS
+ if (strcmp(what, "compile-version") == 0)
+ vstream_printf("%s\n", tls_compile_version());
+ else if (strcmp(what, "run-version") == 0)
+ vstream_printf("%s\n", tls_run_version());
+ else if (strcmp(what, "public-key-algorithms") == 0) {
+ const char **cpp;
+
+ for (cpp = tls_pkey_algorithms(); *cpp; cpp++)
+ vstream_printf("%s\n", *cpp);
+ } else {
+ msg_warn("unknown 'postconf -T' mode: %s", what);
+ exit(1);
+ }
+#endif /* USE_TLS */
+}
/* earliest convenience.
/* .IP \fBstatus\fR
/* Indicate if the Postfix mail system is currently running.
-/* .IP "\fBset-permissions\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+/* .IP "\fBset-permissions\fR [\fIname\fR=\fIvalue ...\fR]
/* Set the ownership and permissions of Postfix related files and
/* directories, as specified in the \fBpostfix-files\fR file.
/* .sp
/* This feature is available in Postfix 2.1 and later. With
/* Postfix 2.0 and earlier, use "\fB$config_directory/post-install
/* set-permissions\fR".
-/* .IP "\fBtls\fR \fIsubcommand...\fB\fR
-/* Enable opportunistic TLS in the Postfix SMTP client or server,
-/* or generate or replace Postfix SMTP server TLS private keys
-/* and certificates. See the section "TLS SUBCOMMANDS" below.
+/* .IP "\fBtls\fR \fIsubcommand\fB ...\fR
+/* Enable opportunistic TLS in the Postfix SMTP client or
+/* server, and manage Postfix SMTP server TLS private keys and
+/* certificates. See postfix-tls(1) for documentation.
/* .sp
/* This feature is available in Postfix 3.1 and later.
-/* .IP "\fBupgrade-configuration\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+/* .IP "\fBupgrade-configuration\fR [\fIname\fR=\fIvalue ...\fR]
/* Update the \fBmain.cf\fR and \fBmaster.cf\fR files with information
/* that Postfix needs in order to run: add or update services, and add
/* or update configuration parameter settings.
/* .IP \fB-v\fR
/* Enable verbose logging for debugging purposes. Multiple \fB-v\fR
/* options make the software increasingly verbose.
-/* TLS SUBCOMMANDS
-/* .ad
-/* .fi
-/* The "\fBpostfix tls \fIsubcommand...\fR" feature implements the
-/* following subcommands:
-/* .IP "\fBenable-client\fR"
-/* Enable opportunistic TLS in the Postfix SMTP client, if all SMTP
-/* client TLS settings are at their default values. Otherwise,
-/* suggest parameter settings without making any changes.
-/* .IP "\fBenable-server\fR"
-/* Create a new private key and self-signed server certificate.
-/* Enable opportunistic TLS in the Postfix SMTP server, if all
-/* SMTP server TLS settings are at their default values. Otherwise,
-/* suggest parameter settings without making any changes.
-/* .IP "\fBcreate-key\fR"
-/* Create a new 2048-bit RSA private key and self-signed server
-/* certificate, but do not deploy them. Log and display suggested
-/* main.cf settings to deploy the new key and certificate in
-/* the Postfix SMTP server.
-/* .sp
-/* Before deploying the new key and certificate with DANE, use the
-/* command "\fBpostfix tls gen-tlsa \fIhostname keyfile\fR"
-/* to write recommended TLSA records to stdout.
-/* Update the DNS with new DANE TLSA records, then wait for
-/* secondary nameservers to update, and wait for stale records in
-/* remote DNS caches to expire.
-/* .sp
-/* Before deploying the new key and certificate with PKI in
-/* the Postfix SMTP server, use the command "\fBpostfix tls
-/* gen-csr\fR" to obtain a certificate signing request (CSR)
-/* for the new key, and replace the self-signed certificate
-/* with a CA-issued one before deployment.
-/* .IP
-/* After taking zero or more of the above step(s), deploy the
-/* new key and certificate using the suggested main.cf settings
-/* mentioned above.
-/* .IP "\fBcreate-cert\fR"
-/* This is just like \fBcreate-key\fR except that, rather than
-/* generating a new private key, any currently deployed private
-/* key is copied to the new key file. Thus if you're publishing
-/* DANE TLSA "3 1 1" records, there is no need to update DNS records.
-/* .sp
-/* This command is rarely needed, because the certificates generated
-/* have a 100-year nominal expiration time. The RSA algorithm may
-/* well be obsoleted by quantum computers long
-/* before then.
-/* .sp
-/* The most plausible reason for using this command is when
-/* system hostname changes, and you'd like the name in the
-/* certificate to match the new hostname (not required for
-/* DANE "3 1 1", but some needlessly picky non-DANE opportunistic
-/* TLS clients may log warnings or even refuse to communicate).
-/* .IP "\fBreplace-key\fR"
-/* This is like \fBcreate-key\fR, but immediately deploys
-/* the new private key and self-signed server certificate.
-/* Obsolete keys and certificates may be removed by hand. Files
-/* created with "\fBpostfix tls\fR" commands are named
-/* key-\fIyyyymmdd-hhmmss\fR.pem and cert-\fIyyyymmdd-hhmmss\fR.pem,
-/* where \fIyyyymmdd\fR is the calendar date and \fIhhmmss\fR
-/* is the time of day.
-/* .IP "\fBreplace-cert\fR"
-/* This is like \fBreplace-key\fR, but copies any currently
-/* deployed private key if one exists, and immediately deploys
-/* the key and the new self-signed server certificate. This
-/* is safe with DANE TLSA "3 1 1" records. As noted before,
-/* replacement of just the certificate is rarely needed.
-/* .IP "\fBgen-csr [\fIhostname\fB] [\fIkeyfile\fB]\fR"
-/* Write to stdout a certificate signing request (CSR) for the
-/* specified \fIhostname\fR (by default, the value of the
-/* \fBmyhostname\fR main.cf parameter) and private key file
-/* \fIkeyfile\fR (by default, the value of the
-/* \fBsmtpd_tls_key_file\fR main.cf parameter).
-/* .IP "\fBgen-tlsa [\fIhostname\fB] [\fIkeyfile\fB]\fR"
-/* Write to stdout a DANE TLSA record suitable for a port 25
-/* SMTP server on host \fIhostname\fR (default: the value of
-/* the \fBmyhostname\fR main.cf parameter) with private key
-/* file \fIkeyfile\fR (default: the value of the
-/* \fBsmtpd_tls_key_file\fR main.cf parameter).
/* ENVIRONMENT
/* .ad
/* .fi
/* plugins (postfix-*.so) that have a relative pathname in the
/* dynamicmaps.cf file.
/* .PP
+/* Available in Postfix version 3.1 and later:
+/* .IP "\fBopenssl_path (openssl)\fR"
+/* The location of the OpenSSL command line program \fBopenssl\fR(1).
+/* .PP
/* Other configuration parameters:
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
/* The list of environment parameters that a Postfix process will
/* postcat(1), examine Postfix queue file
/* postconf(1), Postfix configuration utility
/* postfix(1), Postfix control program
+/* postfix-tls(1), Postfix TLS management
/* postkick(1), trigger Postfix daemon
/* postlock(1), Postfix-compatible locking
/* postlog(1), Postfix-compatible logging
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
+/*
/* TLS support by:
/* Lutz Jaenicke
/* Brandenburg University of Technology
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
+/*
/* SASL support originally by:
/* Till Franke
/* SuSE Rhein/Main AG
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
#endif
/* Backwards compatibility with OpenSSL < 1.1.0 */
-#ifdef SSLEAY_VERSION_NUMBER
-#define OpenSSL_version_num SSLeay
-#endif
-
#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define OpenSSL_version_num SSLeay
+#define OpenSSL_version SSLeay_version
+#define OPENSSL_VERSION SSLEAY_VERSION
#define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
#endif
/*
* tls_misc.c
*/
-
extern void tls_param_init(void);
/*
*/
extern void tls_session_stop(TLS_APPL_STATE *, VSTREAM *, int, int, TLS_SESS_STATE *);
+ /*
+ * tls_misc.c
+ */
+extern const char *tls_compile_version(void);
+extern const char *tls_run_version(void);
+extern const char **tls_pkey_algorithms(void);
+
#ifdef TLS_INTERNAL
#include <vstring.h>
return (0);
}
+#ifdef SSL_SECOP_PEER
+ /* Backwards compatible security as a base for opportunistic TLS. */
+ SSL_CTX_set_security_level(client_ctx, 0);
+#endif
+
/*
* See the verify callback in tls_verify.c
*/
if (protomask != 0)
SSL_set_options(TLScontext->con, TLS_SSL_OP_PROTOMASK(protomask));
+#ifdef SSL_SECOP_PEER
+ /* When authenticating the peer, use 80-bit plus OpenSSL security level */
+ if (TLS_MUST_MATCH(props->tls_level))
+ SSL_set_security_level(TLScontext->con, 1);
+#endif
+
/*
* XXX To avoid memory leaks we must always call SSL_SESSION_free() after
* calling SSL_set_session(), regardless of whether or not the session
/*
/* void tls_update_app_logmask(app_ctx, log_mask)
/* TLS_APPL_STATE *app_ctx;
-/* int log_mask;
+/* int log_mask;
/*
/* int tls_validate_digest(dgst)
/* const char *dgst;
+/*
+/* const char *tls_compile_version(void)
+/*
+/* const char *tls_run_version(void)
+/*
+/* const char **tls_pkey_algorithms(void)
/* DESCRIPTION
/* This module implements routines that support the TLS client
/* and server internals.
/*
/* tls_validate_digest() returns non-zero if the named digest
/* is usable and zero otherwise.
+/*
+/* tls_compile_version() returns a text string description of
+/* the compile-time TLS library.
+/*
+/* tls_run_version() is just tls_compile_version() but with the runtime
+/* version instead of the compile-time version.
+/*
+/* tls_pkey_algorithms() returns a pointer to null-terminated
+/* array of string constants with the names of the supported
+/* public-key algorithms.
/* LICENSE
/* .ad
/* .fi
/* tls_version_split - Split OpenSSL version number into major, minor, ... */
-static void tls_version_split(long version, TLS_VINFO *info)
+static void tls_version_split(unsigned long version, TLS_VINFO *info)
{
/*
hdr_info.major, hdr_info.minor, hdr_info.micro);
}
+/* tls_compile_version - compile-time OpenSSL version */
+
+const char *tls_compile_version(void)
+{
+ return (OPENSSL_VERSION_TEXT);
+}
+
+/* tls_run_version - run-time version "major.minor.micro" */
+
+const char *tls_run_version(void)
+{
+ return (OpenSSL_version(OPENSSL_VERSION));
+}
+
+const char **tls_pkey_algorithms(void)
+{
+
+ /*
+ * Return an array, not string, so that the result can be inspected
+ * without parsing. Sort the result alphabetically, not chronologically.
+ */
+ static const char *algs[] = {
+#ifndef OPENSSL_NO_DSA
+ "dsa",
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_ECDSA)
+ "ecdsa",
+#endif
+#ifndef OPENSSL_NO_RSA
+ "rsa",
+#endif
+ 0,
+ };
+
+ return (algs);
+}
+
/* tls_bug_bits - SSL bug compatibility bits for this OpenSSL version */
long tls_bug_bits(void)
return (0);
}
+#ifdef SSL_SECOP_PEER
+ /* Backwards compatible security as a base for opportunistic TLS. */
+ SSL_CTX_set_security_level(server_ctx, 0);
+#endif
+
/*
* See the verify callback in tls_verify.c
*/
return (0);
}
+#ifdef SSL_SECOP_PEER
+ /* When authenticating the peer, use 80-bit plus OpenSSL security level */
+ if (props->requirecert)
+ SSL_set_security_level(TLScontext->con, 1);
+#endif
+
/*
* Before really starting anything, try to seed the PRNG a little bit
* more.
TLScontext->peer_pkey_fprint);
}
X509_free(peer);
+
+ /*
+ * Give them a clue. Problems with trust chain verification are logged
+ * when the session is first negotiated, before the session is stored
+ * into the cache. We don't want mystery failures, so log the fact the
+ * real problem is to be found in the past.
+ */
+ if (!TLS_CERT_IS_TRUSTED(TLScontext)
+ && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) {
+ if (TLScontext->session_reused == 0)
+ tls_log_verify_error(TLScontext);
+ else
+ msg_info("%s: re-using session with untrusted certificate, "
+ "look for details earlier in the log",
+ TLScontext->namaddr);
+ }
} else {
TLScontext->peer_CN = mystrdup("");
TLScontext->issuer_CN = mystrdup("");
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* expand macro references in string
/* SYNOPSIS
/* #include <mac_expand.h>
- DESCRIPTION
- .nf
+/* DESCRIPTION
+/* .nf
/*
* Utility library.
/* locate macro references in string
/* SYNOPSIS
/* #include <mac_parse.h>
- DESCRIPTION
- .nf
+/* DESCRIPTION
+/* .nf
/*
* Utility library.
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/*
*/
#ifndef NO_WATCHDOG_PIPE
#define USE_WATCHDOG_PIPE
+#endif
+
+ /*
+ * If we don't have defined a preferred random device above, but the system
+ * has /dev/urandom, then we use that.
+ */
+#if !defined(PREFERRED_RAND_SOURCE) && defined(HAS_DEV_URANDOM)
+#define PREFERRED_RAND_SOURCE "dev:/dev/urandom"
#endif
/*
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
projects / thirdparty / postfix.git / commitdiff
