From: Wietse Z Venema Date: Fri, 26 Dec 2025 05:00:00 +0000 (-0500) Subject: postfix-3.11.0-RC2 X-Git-Tag: v3.11.0-RC2^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3a90fa6372b9c5e94bbffc91c805a5e78776ecb7;p=thirdparty%2Fpostfix.git postfix-3.11.0-RC2 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 925ee13ad..f77142c02 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -30279,3 +30279,18 @@ Apologies for any names omitted. util/unescape.ref. Documentation: minor edits of Postfix 3.11.0 RELEASE_NOTES. + +20251226 + + Tooling to reduce hard-coded database types in main.cf. + This introduces default_cache_db_type as the default database + for address_verify_map and postscreen_cache_map. It defaults + to 'lmdb' if default_database_type is 'lmdb', otherwise it + assumes the historical value 'btree'. With instructions for + overriding default_cache_db_type and default_database_type + in Postfix 3.11.0 RELEASE_NOTES. Files: makedefs, + mantools/postlink, proto/INSTALL.html, proto/postconf.proto, + README_FILES/INSTALL, RELEASE_NOTES-3.11, global/mail_params.c, + global/mail_params.h. + + Documentation: updated REQUIRETLS_README. diff --git a/postfix/INSTALL b/postfix/INSTALL index 026c7fa31..9b244119d 100644 --- a/postfix/INSTALL +++ b/postfix/INSTALL @@ -425,41 +425,44 @@ Parameters whose defaults can be specified in this way are listed below. See the postconf(5) manpage for a description (command: "nroff -man man/man5/ postconf.5 | less"). - __________________________________________ - |parameter name |typical default | - |_____________________|____________________| - |command_directory |/usr/sbin | - |_____________________|____________________| - |config_directory |/etc/postfix | - |_____________________|____________________| - |default_database_type|hash | - |_____________________|____________________| - |daemon_directory |/usr/libexec/postfix| - |_____________________|____________________| - |data_directory |/var/lib/postfix | - |_____________________|____________________| - |html_directory |no | - |_____________________|____________________| - |mail_spool_directory |/var/mail | - |_____________________|____________________| - |mailq_path |/usr/bin/mailq | - |_____________________|____________________| - |manpage_directory |/usr/local/man | - |_____________________|____________________| - |meta_directory |/etc/postfix | - |_____________________|____________________| - |newaliases_path |/usr/bin/newaliases | - |_____________________|____________________| - |openssl_path |openssl | - |_____________________|____________________| - |queue_directory |/var/spool/postfix | - |_____________________|____________________| - |readme_directory |no | - |_____________________|____________________| - |sendmail_path |/usr/sbin/sendmail | - |_____________________|____________________| - |shlib_directory |/usr/lib/postfix | - |_____________________|____________________| + _______________________________________________________________________ + |parameter name |typical default | + |_____________________|_________________________________________________| + |command_directory |/usr/sbin | + |_____________________|_________________________________________________| + |config_directory |/etc/postfix | + |_____________________|_________________________________________________| + |default_database_type|hash | + |_____________________|_________________________________________________| + |default_cache_db_type|(lmdb if default_database_type is lmdb, otherwise| + | |btree) | + |_____________________|_________________________________________________| + |daemon_directory |/usr/libexec/postfix | + |_____________________|_________________________________________________| + |data_directory |/var/lib/postfix | + |_____________________|_________________________________________________| + |html_directory |no | + |_____________________|_________________________________________________| + |mail_spool_directory |/var/mail | + |_____________________|_________________________________________________| + |mailq_path |/usr/bin/mailq | + |_____________________|_________________________________________________| + |manpage_directory |/usr/local/man | + |_____________________|_________________________________________________| + |meta_directory |/etc/postfix | + |_____________________|_________________________________________________| + |newaliases_path |/usr/bin/newaliases | + |_____________________|_________________________________________________| + |openssl_path |openssl | + |_____________________|_________________________________________________| + |queue_directory |/var/spool/postfix | + |_____________________|_________________________________________________| + |readme_directory |no | + |_____________________|_________________________________________________| + |sendmail_path |/usr/sbin/sendmail | + |_____________________|_________________________________________________| + |shlib_directory |/usr/lib/postfix | + |_____________________|_________________________________________________| 4.6.2 - All Postfix versions @@ -477,33 +480,35 @@ Parameters whose defaults can be specified in this way are listed below. See the postconf(5) manpage for a description (command: "nroff -man man/man5/ postconf.5 | less"). - ____________________________________________________________ - |Macro name |default value for |typical default | - |_________________|_____________________|____________________| - |DEF_COMMAND_DIR |command_directory |/usr/sbin | - |_________________|_____________________|____________________| - |DEF_CONFIG_DIR |config_directory |/etc/postfix | - |_________________|_____________________|____________________| - |DEF_DB_TYPE |default_database_type|hash | - |_________________|_____________________|____________________| - |DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix| - |_________________|_____________________|____________________| - |DEF_DATA_DIR |data_directory |/var/lib/postfix | - |_________________|_____________________|____________________| - |DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq | - |_________________|_____________________|____________________| - |DEF_HTML_DIR |html_directory |no | - |_________________|_____________________|____________________| - |DEF_MANPAGE_DIR |manpage_directory |/usr/local/man | - |_________________|_____________________|____________________| - |DEF_NEWALIAS_PATH|newaliases_path |/usr/bin/newaliases | - |_________________|_____________________|____________________| - |DEF_QUEUE_DIR |queue_directory |/var/spool/postfix | - |_________________|_____________________|____________________| - |DEF_README_DIR |readme_directory |no | - |_________________|_____________________|____________________| - |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail | - |_________________|_____________________|____________________| + _________________________________________________________________________ + |Macro name |default value for |typical default | + |_________________|_____________________|_________________________________| + |DEF_COMMAND_DIR |command_directory |/usr/sbin | + |_________________|_____________________|_________________________________| + |DEF_CONFIG_DIR |config_directory |/etc/postfix | + |_________________|_____________________|_________________________________| + |DEF_DB_TYPE |default_database_type|hash | + |_________________|_____________________|_________________________________| + |DEF_CACHE_DB_TYPE|default_cache_db_type|hash or lmdb, depends on platform| + |_________________|_____________________|_________________________________| + |DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix | + |_________________|_____________________|_________________________________| + |DEF_DATA_DIR |data_directory |/var/lib/postfix | + |_________________|_____________________|_________________________________| + |DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq | + |_________________|_____________________|_________________________________| + |DEF_HTML_DIR |html_directory |no | + |_________________|_____________________|_________________________________| + |DEF_MANPAGE_DIR |manpage_directory |/usr/local/man | + |_________________|_____________________|_________________________________| + |DEF_NEWALIAS_PATH|newaliases_path |/usr/bin/newaliases | + |_________________|_____________________|_________________________________| + |DEF_QUEUE_DIR |queue_directory |/var/spool/postfix | + |_________________|_____________________|_________________________________| + |DEF_README_DIR |readme_directory |no | + |_________________|_____________________|_________________________________| + |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail | + |_________________|_____________________|_________________________________| Note: the data_directory parameter (for caches and pseudo-random numbers) was introduced with Postfix version 2.5. @@ -538,9 +543,10 @@ The following is an extensive list of names and values. |_______________________________|_____________________________________________| || |Do not build with Berkeley DB support. By | || |default, Berkeley DB support is compiled in | -||-DNO_DB |on platforms that are known to support this | -|| |feature. If you override this, then you | -|| |probably should also override DEF_DB_TYPE as | +|| |on platforms that are known to support this | +||-DNO_DB |feature. If you override this, then you | +|| |probably should also override | +|| |default_database_type or DEF_DB_TYPE as | || |described in section 4.6. | ||______________________________|_____________________________________________| ||-DNO_DNSSEC |Do not build with DNSSEC support, even if the| diff --git a/postfix/README_FILES/INSTALL b/postfix/README_FILES/INSTALL index a57af61a6..8a91750f7 100644 --- a/postfix/README_FILES/INSTALL +++ b/postfix/README_FILES/INSTALL @@ -425,41 +425,44 @@ Parameters whose defaults can be specified in this way are listed below. See the postconf(5) manpage for a description (command: "nroff -man man/man5/ postconf.5 | less"). - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - |ppaarraammeetteerr nnaammee |ttyyppiiccaall ddeeffaauulltt | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |command_directory |/usr/sbin | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |config_directory |/etc/postfix | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |default_database_type|hash | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |daemon_directory |/usr/libexec/postfix| - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |data_directory |/var/lib/postfix | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |html_directory |no | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |mail_spool_directory |/var/mail | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |mailq_path |/usr/bin/mailq | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |manpage_directory |/usr/local/man | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |meta_directory |/etc/postfix | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |newaliases_path |/usr/bin/newaliases | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |openssl_path |openssl | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |queue_directory |/var/spool/postfix | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |readme_directory |no | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |sendmail_path |/usr/sbin/sendmail | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |shlib_directory |/usr/lib/postfix | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |ppaarraammeetteerr nnaammee |ttyyppiiccaall ddeeffaauulltt | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |command_directory |/usr/sbin | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |config_directory |/etc/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |default_database_type|hash | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |default_cache_db_type|(lmdb if default_database_type is lmdb, otherwise| + | |btree) | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |daemon_directory |/usr/libexec/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |data_directory |/var/lib/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |html_directory |no | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |mail_spool_directory |/var/mail | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |mailq_path |/usr/bin/mailq | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |manpage_directory |/usr/local/man | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |meta_directory |/etc/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |newaliases_path |/usr/bin/newaliases | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |openssl_path |openssl | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |queue_directory |/var/spool/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |readme_directory |no | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |sendmail_path |/usr/sbin/sendmail | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |shlib_directory |/usr/lib/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | 44..66..22 -- AAllll PPoossttffiixx vveerrssiioonnss @@ -477,33 +480,35 @@ Parameters whose defaults can be specified in this way are listed below. See the postconf(5) manpage for a description (command: "nroff -man man/man5/ postconf.5 | less"). - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - |MMaaccrroo nnaammee |ddeeffaauulltt vvaalluuee ffoorr |ttyyppiiccaall ddeeffaauulltt | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_COMMAND_DIR |command_directory |/usr/sbin | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_CONFIG_DIR |config_directory |/etc/postfix | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_DB_TYPE |default_database_type|hash | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix| - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_DATA_DIR |data_directory |/var/lib/postfix | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_HTML_DIR |html_directory |no | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_MANPAGE_DIR |manpage_directory |/usr/local/man | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_NEWALIAS_PATH|newaliases_path |/usr/bin/newaliases | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_QUEUE_DIR |queue_directory |/var/spool/postfix | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_README_DIR |readme_directory |no | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |MMaaccrroo nnaammee |ddeeffaauulltt vvaalluuee ffoorr |ttyyppiiccaall ddeeffaauulltt | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_COMMAND_DIR |command_directory |/usr/sbin | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_CONFIG_DIR |config_directory |/etc/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_DB_TYPE |default_database_type|hash | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_CACHE_DB_TYPE|default_cache_db_type|hash or lmdb, depends on platform| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_DATA_DIR |data_directory |/var/lib/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_HTML_DIR |html_directory |no | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_MANPAGE_DIR |manpage_directory |/usr/local/man | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_NEWALIAS_PATH|newaliases_path |/usr/bin/newaliases | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_QUEUE_DIR |queue_directory |/var/spool/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_README_DIR |readme_directory |no | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | Note: the data_directory parameter (for caches and pseudo-random numbers) was introduced with Postfix version 2.5. @@ -538,9 +543,10 @@ The following is an extensive list of names and values. |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | || |Do not build with Berkeley DB support. By | || |default, Berkeley DB support is compiled in | -||-DNO_DB |on platforms that are known to support this | -|| |feature. If you override this, then you | -|| |probably should also override DEF_DB_TYPE as | +|| |on platforms that are known to support this | +||-DNO_DB |feature. If you override this, then you | +|| |probably should also override | +|| |default_database_type or DEF_DB_TYPE as | || |described in section 4.6. | |_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ||-DNO_DNSSEC |Do not build with DNSSEC support, even if the| diff --git a/postfix/README_FILES/REQUIRETLS_README b/postfix/README_FILES/REQUIRETLS_README index 72eaf1681..81e1452f7 100644 --- a/postfix/README_FILES/REQUIRETLS_README +++ b/postfix/README_FILES/REQUIRETLS_README @@ -4,6 +4,7 @@ PPoossttffiixx RREEQQUUIIRREETTLLSS SSuuppppoorrtt TTaabbllee ooff CCoonntteennttss + * Purpose of this document * Introduction * REQUIRETLS for a perimeter MTA @@ -19,32 +20,48 @@ TTaabbllee ooff CCoonntteennttss * REQUIRETLS quick summary * Credits +PPuurrppoossee ooff tthhiiss ddooccuummeenntt + +This document covers Postfix configuration for the REQUIRETLS extension. The +purpose of these settings is to make REQUIRETLS support usable in an existing +environment where REQUIRETLS support is still uncommon, with a path towards a +future with REQUIRETLS. + IInnttrroodduuccttiioonn -(For background information, see below for a REQUIRETLS quick summary.) +The REQUIRETLS extension in ESMTP is defined in RFC 8689. When a sender +requests REQUIRETLS. the message must be sent only over strongly-authenticated +SMTP or LMTP connections. + +Specifically: + + * Every server in the forward path to the final destination must announce + REQUIRETLS support. -This document covers the Postfix default settings for using the REQUIRETLS -extension. The purpose of these defaults is to make REQUIRETLS support usable -in an existing environment, with a path towards the future. + Challenge: as of 2025, only a few servers implement REQUIRETLS. -The main issues with deploying REQUIRETLS are a lack of support in existing -infrastructure: + * Every server in the forward path must be looked up securely (for example, + with DNSSEC or HTTPS). - * REQUIRETLS requires that server certificates are authenticated. When email - is sent across the Internet, this involves a DANE or MTA-STS policy that is - published by a mail receiving domain, using DNSSEC or HTTPS. At this time, - many domains do not publish such a policy. + * Every server certificate in the forward path must be verified. In practice, + this involves DANE (+DNSSEC) or MTA-STS; custom configuration would not + scale. - * REQUIRETLS is historically not supported by existing local infrastructure - such as internal message stores or Postfix content filters, and may be - over-kill for connections that happen behind a perimeter MTA within a - trusted internal network. + Challenge: as of 2025, many domains do not publish a DANE or MTA-STS + policy. + + * A message with REQUIRETLS must be returned to the sender if any of the + above requirements is not satisfied (no STARTTLS support, no secure server + lookup, no trusted or no matching server certificate, or no server that + announces REQUIRETLS support). + +For more background information, see the REQUIRETLS quick summary below. RREEQQUUIIRREETTLLSS ffoorr aa ppeerriimmeetteerr MMTTAA In this text, a perimeter MTA is a mail system that operates on the boundary of an administrative domain. It receives email messages for the domain, and/or -delivers email messages on behalf of the domain. +sends email messages on behalf of the domain. RReecceeiivviinngg iinnbboouunndd mmeessssaaggeess wwiitthh RREEQQUUIIRREETTLLSS rreeqquueessttss @@ -369,11 +386,11 @@ SMTP features: 6409], and the LMTP Local Mail Transfer Protocol [RFC 2033]. * REQUIRETLS is an end-to-end feature, unlike SMTP which is hop-by-hop. When - a sender requests REQUIRETLS, each MTA in the forward path must support + a sender requests REQUIRETLS, each server in the forward path must support REQUIRETLS. - * Each connection in the forward path must be made to an MX server that has - been looked up securely (for example, with DNSSEC or HTTPS). + * Each connection in the forward path must be made to a server that has been + looked up securely (for example, with DNSSEC or HTTPS). * Each server certificate must be verified. To match a server certificate, the Postfix SMTP client needs to use an appropriate policy type: @@ -404,7 +421,9 @@ SMTP features: * Returning an undeliverable message that requires REQUIRETLS comes with its own challenges: the return path may differ from the forward path, and the return path may not support REQUIRETLS all the way back to the sender, even - if the forward path supported REQUIRETLS. + if the forward path supported REQUIRETLS. By default, Postfix follows RFC + 8689 and redacts bounce messages so that they can be sent without + REQUIRETLS. CCrreeddiittss diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index e661ece6a..852fef1e9 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -29,6 +29,49 @@ IPL can continue with that license. Major changes - database ------------------------ +[Infrastructure 20251226] Tooling to help with the migration away +from Berkeley DB. + +The new parameter default_cache_db_type controls the default database +type for address_verify_map and postscreen_cache_map, and can +eliminate a few hard-coded database types in main.cf. This parameter +defaults to 'lmdb' if the default_database_type value equals 'lmdb', +otherwise it assumes the historical value 'btree'. + +Sites that build without Berkeley DB are suggested to use one of the +following commands in their build process: + +1 - Make lmdb the default for both default_database_type + and default_cache_db_type. + + make makefiles CCARGS="-NO_DB ..." default_database_type=lmdb + +2 - Make cdb the default for default_database_type, and make + lmdb the default for default_cache_db_type. + + make makefiles CCARGS="-NO_DB ..." default_database_type=cdb \ + default_cache_db_type=lmdb + +Postfix hash and btree files can easily be migrated when the +source file is available. Just run + + postmap lmdb:/path/to/file + +That does not work for address_verify_map and postscreen_cache_map +because there is no source file. In that case, to migrate a btree +file to lmdb, execute as root: + + rm -f /path/to/file.lmdb + postmap -s btree:/path/to/file | postmap -i lmdb:/path/to/file + chown postfix /path/to/file.lmdb + +This should happen for every btree datbase with long-lived data that +has no data source file: address_verify_map, postscreen_cache_map, +and the optional smtp_sasl_auth_cache_name. + +Limitation: the above database migration commands work only if +Berkeley DB btree support is still available :-( + [Feature 20250321] Safety: the SQLite client now logs a warning when a query uses double quotes instead of the Postfix-recommended single quotes. Only the recommended form is protected against SQL diff --git a/postfix/html/INSTALL.html b/postfix/html/INSTALL.html index a41610a71..5bca3382e 100644 --- a/postfix/html/INSTALL.html +++ b/postfix/html/INSTALL.html @@ -674,6 +674,8 @@ listed below. See the postconf(5) manpage for a de default_database_type hash + default_cache_db_type (lmdb if default_database_type is lmdb, otherwise btree) + daemon_directory /usr/libexec/postfix data_directory /var/lib/postfix @@ -742,6 +744,9 @@ default DEF_DB_TYPE default_database_type hash + DEF_CACHE_DB_TYPE default_cache_db_type +hash or lmdb, depends on platform + DEF_DAEMON_DIR daemon_directory /usr/libexec/postfix @@ -813,8 +818,8 @@ off Postfix features at compile time: -DNO_DB Do not build with Berkeley DB support. By default, Berkeley DB support is compiled in on platforms that are known to support this feature. If you override -this, then you probably should also override DEF_DB_TYPE as described -in section 4.6. +this, then you probably should also override default_database_type +or DEF_DB_TYPE as described in section 4.6. -DNO_DNSSEC Do not build with DNSSEC support, even if the resolver library appears to support it. diff --git a/postfix/html/REQUIRETLS_README.html b/postfix/html/REQUIRETLS_README.html index b29a5b78d..9650470ab 100644 --- a/postfix/html/REQUIRETLS_README.html +++ b/postfix/html/REQUIRETLS_README.html @@ -21,6 +21,7 @@

Table of Contents

diff --git a/postfix/html/makedefs.1.html b/postfix/html/makedefs.1.html index 05e4f183e..c5afd48f9 100644 --- a/postfix/html/makedefs.1.html +++ b/postfix/html/makedefs.1.html @@ -194,10 +194,10 @@ MAKEDEFS(1) MAKEDEFS(1) this context: command_directory config_directory daemon_directory data_direc- - tory default_database_type html_directory mail_spool_directory - mailq_path manpage_directory meta_directory newaliases_path - queue_directory readme_directory sendmail_path shlib_directory - openssl_path + tory default_cache_db_type default_database_type html_directory + mail_spool_directory mailq_path manpage_directory meta_directory + newaliases_path queue_directory readme_directory sendmail_path + shlib_directory openssl_path See the postconf(5) manpage for a description of these parame- ters. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 9fee2f519..b82a70a03 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -225,7 +225,7 @@ This feature is available in Postfix 2.1 and later.
address_verify_map -(default: see "postconf -d" output)
+(default: Postfix ≥ 3.11: $default_cache_db_type:$data_directory/address_verify_map; Postfix < 3,11: btree:$data_directory/address_verify_map)

Lookup table for persistent address verification status @@ -2018,6 +2018,18 @@ Example: +

+ +
default_cache_db_type +(default: lmdb if default_database_type is lmdb, otherwise btree)
+ +

The default database type for address_verify_map and +postscreen_cache_map. Before Postfix 3.11 those caches used btree +by default.

+ +

This feature is available in Postfix ≥ 3.11.

+ +
default_database_type @@ -8715,12 +8727,13 @@ The default time unit is h (hours).

postscreen_cache_map -(default: btree:$data_directory/postscreen_cache)
+(default: Postfix ≥ 3.11: $default_cache_db_type:$data_directory/postscreen_cache_map; Postfix < 3.11: btree:$data_directory/postscreen_cache_map)

Persistent storage for the postscreen(8) server decisions.

To share a postscreen(8) cache between multiple postscreen(8) -instances, use "postscreen_cache_map = proxy:btree:/path/to/file". +instances, use "postscreen_cache_map = proxy:btree:/path/to/file" +or "proxy:lmdb:/path/to/file". This requires Postfix version 2.9 or later; earlier proxymap(8) implementations don't support cache cleanup. For an alternative approach see the memcache_table(5) manpage.

@@ -13157,10 +13170,11 @@ the directory specified with the data_d passwords, and requires that Postfix is compiled with TLS support.

-

Example:

+

Examples: 

 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
+smtp_sasl_auth_cache_name = proxy:lmdb:/var/lib/postfix/sasl_auth_cache

This feature is available in Postfix 2.5 and later.

@@ -15305,6 +15319,7 @@ under a non-Postfix directory is redirected to the Postfix-owned 
 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
+smtp_tls_session_cache_database = lmdb:/var/lib/postfix/smtp_scache

This feature is available in Postfix 2.2 and later.

@@ -20224,10 +20239,11 @@ generally be left empty. TLS session tickets require an OpenSSL library (at least version 0.9.8h) that provides full support for this TLS extension. See also smtpd_tls_session_cache_timeout.

-

Example:

+

Examples: 

 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
+smtpd_tls_session_cache_database = lmdb:/var/lib/postfix/smtpd_scache

This feature is available in Postfix 2.2 and later.

diff --git a/postfix/makedefs b/postfix/makedefs index 69c378a00..a18e9c2a7 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -162,10 +162,10 @@ # supported in this context: # # command_directory config_directory daemon_directory -# data_directory default_database_type html_directory -# mail_spool_directory mailq_path manpage_directory meta_directory -# newaliases_path queue_directory readme_directory sendmail_path -# shlib_directory openssl_path +# data_directory default_cache_db_type default_database_type +# html_directory mail_spool_directory mailq_path manpage_directory +# meta_directory newaliases_path queue_directory readme_directory +# sendmail_path shlib_directory openssl_path # # See the postconf(5) manpage for a description of these # parameters. @@ -1124,9 +1124,10 @@ do esac done +default_cache_db_type_macro=DEF_CACHE_DB_TYPE default_database_type_macro=DEF_DB_TYPE -for parm_name in default_database_type +for parm_name in default_cache_db_type default_database_type do eval parm_val=\"\$$parm_name\" eval parm_macro=\"\$${parm_name}_macro\" diff --git a/postfix/man/man1/makedefs.1 b/postfix/man/man1/makedefs.1 index b7d904040..d479e80a5 100644 --- a/postfix/man/man1/makedefs.1 +++ b/postfix/man/man1/makedefs.1 @@ -165,10 +165,10 @@ installation parameter(s). The following parameters are supported in this context: command_directory config_directory daemon_directory -data_directory default_database_type html_directory -mail_spool_directory mailq_path manpage_directory meta_directory -newaliases_path queue_directory readme_directory sendmail_path -shlib_directory openssl_path +data_directory default_cache_db_type default_database_type +html_directory mail_spool_directory mailq_path manpage_directory +meta_directory newaliases_path queue_directory readme_directory +sendmail_path shlib_directory openssl_path See the postconf(5) manpage for a description of these parameters. diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 5d10da670..e27010702 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -134,7 +134,7 @@ Overrides the local_transport parameter setting for address verification probes. .PP This feature is available in Postfix 2.1 and later. -.SH address_verify_map (default: see "postconf \-d" output) +.SH address_verify_map (default: Postfix >= 3.11: $default_cache_db_type:$data_directory/address_verify_map; Postfix < 3,11: btree:$data_directory/address_verify_map) Lookup table for persistent address verification status storage. The table is maintained by the \fBverify\fR(8) service, and is opened before the process releases privileges. @@ -1226,6 +1226,12 @@ debugger_command = ddd $daemon_directory/$process_name $process_id & sleep 5 .fi .ad +.SH default_cache_db_type (default: lmdb if default_database_type is lmdb, otherwise btree) +The default database type for address_verify_map and +postscreen_cache_map. Before Postfix 3.11 those caches used btree +by default. +.PP +This feature is available in Postfix >= 3.11. .SH default_database_type (default: see "postconf \-d" output) The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1) and \fBpostmap\fR(1) commands. On many UNIX systems the default type is @@ -5421,11 +5427,12 @@ one\-letter suffix that specifies the time unit). Time units: s The default time unit is h (hours). .PP This feature is available in Postfix 2.8. -.SH postscreen_cache_map (default: btree:$data_directory/postscreen_cache) +.SH postscreen_cache_map (default: Postfix >= 3.11: $default_cache_db_type:$data_directory/postscreen_cache_map; Postfix < 3.11: btree:$data_directory/postscreen_cache_map) Persistent storage for the \fBpostscreen\fR(8) server decisions. .PP To share a \fBpostscreen\fR(8) cache between multiple \fBpostscreen\fR(8) -instances, use "postscreen_cache_map = proxy:btree:/path/to/file". +instances, use "postscreen_cache_map = proxy:btree:/path/to/file" +or "proxy:lmdb:/path/to/file". This requires Postfix version 2.9 or later; earlier \fBproxymap\fR(8) implementations don't support cache cleanup. For an alternative approach see the \fBmemcache_table\fR(5) manpage. @@ -8504,11 +8511,12 @@ the directory specified with the data_directory parameter. This feature uses cryptographic hashing to protect plain\-text passwords, and requires that Postfix is compiled with TLS support. .PP -Example: +Examples: .PP .nf .na smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache +smtp_sasl_auth_cache_name = proxy:lmdb:/var/lib/postfix/sasl_auth_cache .fi .ad .PP @@ -10345,6 +10353,7 @@ Example: .nf .na smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache +smtp_tls_session_cache_database = lmdb:/var/lib/postfix/smtp_scache .fi .ad .PP @@ -14235,11 +14244,12 @@ generally be left empty. TLS session tickets require an OpenSSL library (at least version 0.9.8h) that provides full support for this TLS extension. See also smtpd_tls_session_cache_timeout. .PP -Example: +Examples: .PP .nf .na smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache +smtpd_tls_session_cache_database = lmdb:/var/lib/postfix/smtpd_scache .fi .ad .PP diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index b76078b9e..a464b9f79 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -140,6 +140,7 @@ while (<>) { s;\bdebug_peer_list\b;$&;g; s;\bdefault_delivery_status_filter\b;$&;g; s;\bdefault_data[-]*\n* *[]*base_type\b;$&;g; + s;\bdefault_cache_[-]*\n* *[]*db_type\b;$&;g; s;\bdefault_deliv[-]*\n* *[]*ery_slot_cost\b;$&;g; s;\bdefault_deliv[-]*\n* *[]*ery_slot_dis[-]*\n* *[]*count\b;$&;g; s;\bdefault_deliv[-]*\n* *[]*ery_slot_loan\b;$&;g; diff --git a/postfix/proto/INSTALL.html b/postfix/proto/INSTALL.html index 2896b6b5c..0b92e3a06 100644 --- a/postfix/proto/INSTALL.html +++ b/postfix/proto/INSTALL.html @@ -674,6 +674,8 @@ listed below. See the postconf(5) manpage for a description default_database_type hash + default_cache_db_type (lmdb if default_database_type is lmdb, otherwise btree) + daemon_directory /usr/libexec/postfix data_directory /var/lib/postfix @@ -742,6 +744,9 @@ default DEF_DB_TYPE default_database_type hash + DEF_CACHE_DB_TYPE default_cache_db_type +hash or lmdb, depends on platform + DEF_DAEMON_DIR daemon_directory /usr/libexec/postfix @@ -813,8 +818,8 @@ off Postfix features at compile time: -DNO_DB Do not build with Berkeley DB support. By default, Berkeley DB support is compiled in on platforms that are known to support this feature. If you override -this, then you probably should also override DEF_DB_TYPE as described -in section 4.6. +this, then you probably should also override default_database_type +or DEF_DB_TYPE as described in section 4.6. -DNO_DNSSEC Do not build with DNSSEC support, even if the resolver library appears to support it. diff --git a/postfix/proto/REQUIRETLS_README.html b/postfix/proto/REQUIRETLS_README.html index a3b0c4a32..189902f3a 100644 --- a/postfix/proto/REQUIRETLS_README.html +++ b/postfix/proto/REQUIRETLS_README.html @@ -21,6 +21,7 @@

Table of Contents

    +
  • Purpose of this document
  • Introduction
  • REQUIRETLS for a perimeter MTA
      @@ -38,38 +39,55 @@
    -

    Introduction

    +

    Purpose of this document

    -

    (For background information, see below for a -REQUIRETLS quick summary.)

    +

    This document covers Postfix configuration for the REQUIRETLS +extension. The purpose of these settings is to make REQUIRETLS +support usable in an existing environment where REQUIRETLS support +is still uncommon, with a path towards a future with REQUIRETLS. +

    -

    This document covers the Postfix default settings for using the -REQUIRETLS extension. The purpose of these defaults is to make REQUIRETLS -support usable in an existing environment, with a path towards the -future.

    +

    Introduction

    -

    The main issues with deploying REQUIRETLS are a lack of support in -existing infrastructure:

    +

    The REQUIRETLS extension in ESMTP is defined in RFC 8689. When +a sender requests REQUIRETLS. the message must be sent only over +strongly-authenticated SMTP or LMTP connections.

    + +

    Specifically:

      -

    • REQUIRETLS requires that server certificates are authenticated. -When email is sent across the Internet, this involves a DANE or MTA-STS -policy that is published by a mail receiving domain, using DNSSEC or -HTTPS. At this time, many domains do not publish such a policy.

      +

    • Every server in the forward path to the final destination must +announce REQUIRETLS support.

      + +
      Challenge: as of 2025, only a few servers implement +REQUIRETLS.
      -

    • REQUIRETLS is historically not supported by existing local -infrastructure such as internal message stores or Postfix content -filters, and may be over-kill for connections that happen behind a -perimeter MTA within a trusted internal network.

      +

    • Every server in the forward path must be looked up securely +(for example, with DNSSEC or HTTPS).

      + +

    • Every server certificate in the forward path must be verified. In +practice, this involves DANE (+DNSSEC) or MTA-STS; custom configuration +would not scale.

      + +
      Challenge: as of 2025, many domains do not publish a +DANE or MTA-STS policy.
      + +

    • A message with REQUIRETLS must be returned to the sender if +any of the above requirements is not satisfied (no STARTTLS support, +no secure server lookup, no trusted or no matching server certificate, +or no server that announces REQUIRETLS support).

    +

    For more background information, see the +REQUIRETLS quick summary below.

    +

    REQUIRETLS for a perimeter MTA

    In this text, a perimeter MTA is a mail system that operates on the boundary of an administrative domain. It receives email -messages for the domain, and/or delivers email messages on behalf +messages for the domain, and/or sends email messages on behalf of the domain.

    Receiving inbound messages with REQUIRETLS requests

    @@ -486,10 +504,10 @@ S: 250 OK

  • REQUIRETLS is an end-to-end feature, unlike SMTP which is hop-by-hop. When a sender requests REQUIRETLS, each -MTA in the forward path must support REQUIRETLS.

    +server in the forward path must support REQUIRETLS.

    -

  • Each connection in the forward path must be made to an MX -server that has been looked up securely (for example, with DNSSEC +

  • Each connection in the forward path must be made to a server +that has been looked up securely (for example, with DNSSEC or HTTPS).

  • Each server certificate must be verified. To match a server @@ -528,7 +546,8 @@ server certificate, or no server that announces REQUIRETLS support). comes with its own challenges: the return path may differ from the forward path, and the return path may not support REQUIRETLS all the way back to the sender, even if the forward path supported -REQUIRETLS.

    +REQUIRETLS. By default, Postfix follows RFC 8689 and redacts +bounce messages so that they can be sent without REQUIRETLS.

diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index fcf457305..0a3e84224 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -202,7 +202,7 @@ verification probes. This feature is available in Postfix 2.1 and later.

-%PARAM address_verify_map see "postconf -d" output +%PARAM address_verify_map Postfix ≥ 3.11: $default_cache_db_type:$data_directory/address_verify_map; Postfix < 3,11: btree:$data_directory/address_verify_map

Lookup table for persistent address verification status @@ -10082,10 +10082,11 @@ generally be left empty. TLS session tickets require an OpenSSL library (at least version 0.9.8h) that provides full support for this TLS extension. See also smtpd_tls_session_cache_timeout.

-

Example:

+

Examples: 

 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
+smtpd_tls_session_cache_database = lmdb:/var/lib/postfix/smtpd_scache

This feature is available in Postfix 2.2 and later.

@@ -10460,6 +10461,7 @@ data_directory, and a warning is logged. 

 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
+smtp_tls_session_cache_database = lmdb:/var/lib/postfix/smtp_scache

This feature is available in Postfix 2.2 and later.

@@ -14285,10 +14287,11 @@ the directory specified with the data_directory parameter.

passwords, and requires that Postfix is compiled with TLS support.

-

Example:

+

Examples: 

 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
+smtp_sasl_auth_cache_name = proxy:lmdb:/var/lib/postfix/sasl_auth_cache

This feature is available in Postfix 2.5 and later.

@@ -14667,12 +14670,13 @@ inspection for DKIM-signed mail from known friendly domains.

This feature is available in Postfix 2.7, and as an optional patch for Postfix 2.6.

-%PARAM postscreen_cache_map btree:$data_directory/postscreen_cache +%PARAM postscreen_cache_map Postfix ≥ 3.11: $default_cache_db_type:$data_directory/postscreen_cache_map; Postfix < 3.11: btree:$data_directory/postscreen_cache_map

Persistent storage for the postscreen(8) server decisions.

To share a postscreen(8) cache between multiple postscreen(8) -instances, use "postscreen_cache_map = proxy:btree:/path/to/file". +instances, use "postscreen_cache_map = proxy:btree:/path/to/file" +or "proxy:lmdb:/path/to/file". This requires Postfix version 2.9 or later; earlier proxymap(8) implementations don't support cache cleanup. For an alternative approach see the memcache_table(5) manpage.

@@ -20288,3 +20292,11 @@ to=<recipient>

This feature is available in Postfix ≥ 3.11.

+ +%PARAM default_cache_db_type lmdb if default_database_type is lmdb, otherwise btree + +

The default database type for address_verify_map and +postscreen_cache_map. Before Postfix 3.11 those caches used btree +by default.

+ +

This feature is available in Postfix ≥ 3.11.

diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c index 6d346ad3d..3cdaa9a66 100644 --- a/postfix/src/global/mail_params.c +++ b/postfix/src/global/mail_params.c @@ -54,6 +54,7 @@ /* int var_ipc_idle_limit; /* int var_ipc_ttl_limit; /* char *var_db_type; +/* char *var_cache_db_type; /* char *var_hash_queue_names; /* int var_hash_queue_depth; /* int var_trigger_timeout; @@ -299,6 +300,7 @@ char *var_mail_version; int var_ipc_idle_limit; int var_ipc_ttl_limit; char *var_db_type; +char *var_cache_db_type; char *var_hash_queue_names; int var_hash_queue_depth; int var_trigger_timeout; @@ -828,6 +830,7 @@ void mail_params_init() VAR_ALIAS_DB_MAP, DEF_ALIAS_DB_MAP, &var_alias_db_map, 0, 0, VAR_MAIL_RELEASE, DEF_MAIL_RELEASE, &var_mail_release, 1, 0, VAR_DB_TYPE, DEF_DB_TYPE, &var_db_type, 1, 0, + VAR_CACHE_DB_TYPE, DEF_CACHE_DB_TYPE, &var_cache_db_type, 1, 0, VAR_HASH_QUEUE_NAMES, DEF_HASH_QUEUE_NAMES, &var_hash_queue_names, 1, 0, VAR_RCPT_DELIM, DEF_RCPT_DELIM, &var_rcpt_delim, 0, 0, VAR_RELAY_DOMAINS, DEF_RELAY_DOMAINS, &var_relay_domains, 0, 0, diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index c7ab0f205..4436fcdd8 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -377,6 +377,16 @@ extern char *var_config_dirs; #define VAR_DB_TYPE "default_database_type" extern char *var_db_type; + /* + * Preferred type of cache database files. The DEF_CACHE_DB_TYPE macro value + * is system dependent. It is defined in . + */ +#define VAR_CACHE_DB_TYPE "default_cache_db_type" +#ifndef DEF_CACHE_DB_TYPE +#define DEF_CACHE_DB_TYPE "${{$default_database_type}=={lmdb}?{lmdb}:{btree}}" +#endif +extern char *var_cache_db_type; + /* * What syslog facility to use. Unfortunately, something may have to be * logged before parameters are read from the main.cf file. This logging @@ -2964,7 +2974,7 @@ extern int var_vrfy_pend_limit; extern char *var_verify_service; #define VAR_VERIFY_MAP "address_verify_map" -#define DEF_VERIFY_MAP "btree:$data_directory/verify_cache" +#define DEF_VERIFY_MAP "$" VAR_CACHE_DB_TYPE ":$data_directory/verify_cache" extern char *var_verify_map; #define VAR_VERIFY_POS_EXP "address_verify_positive_expire_time" @@ -3788,7 +3798,7 @@ extern char *var_multi_cntrl_cmds; * postscreen(8) */ #define VAR_PSC_CACHE_MAP "postscreen_cache_map" -#define DEF_PSC_CACHE_MAP "btree:$data_directory/postscreen_cache" +#define DEF_PSC_CACHE_MAP "$" VAR_CACHE_DB_TYPE ":$data_directory/postscreen_cache" extern char *var_psc_cache_map; #define VAR_SMTPD_SERVICE "smtpd_service_name" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index bbc5d3f9a..52ad87eed 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20251223" -#define MAIL_VERSION_NUMBER "3.11.0-RC1" +#define MAIL_RELEASE_DATE "20251226" +#define MAIL_VERSION_NUMBER "3.11.0-RC2" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE