From: Wietse Z Venema Date: Fri, 14 Nov 2025 05:00:00 +0000 (-0500) Subject: postfix-3.11-20251114 X-Git-Tag: v3.11.0-RC1~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cafda9a4d1e83d953a22ba5e3859ab0e6160926e;p=thirdparty%2Fpostfix.git postfix-3.11-20251114 --- diff --git a/postfix/.indent.pro b/postfix/.indent.pro index 9fa65a8f9..f645854e9 100644 --- a/postfix/.indent.pro +++ b/postfix/.indent.pro @@ -273,6 +273,8 @@ -TPIPE_STATE -TPLMYSQL -TPLPGSQL +-TPOL_STAT +-TPOL_STATS -TPOSTMAP_KEY_STATE -TPOST_MAIL_FCLOSE_STATE -TPOST_MAIL_STATE @@ -346,6 +348,7 @@ -TSMTP_CLI_ATTR -TSMTP_CMD -TSMTP_ITERATOR +-TSMTP_REQTLS_POLICY -TSMTP_RESP -TSMTP_SASL_AUTH_CACHE -TSMTP_SESSION diff --git a/postfix/HISTORY b/postfix/HISTORY index 69a471f42..4900500a9 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -28491,6 +28491,13 @@ Apologies for any names omitted. non-URI target and "dbname" was not set. Instead, it should return a surrogate dictionary. File: global/dict_pgsql.c. + Non-production REQUIRETLS branch: support for the REQUIRETLS + verb in SMTP. According to RFC 8689, this requires TLS + server certificate matching. Files: cleanup/cleanup_api.c, + global/cleanup_strflags.c, global/post_mail.c, global/post_mail.c, + global/ehlo_mask.[hc], global/ehlo_mask_test.c, local/forward.c, + smtpd/smtpd.c, smtp/smtp_connect.c, smtp/smtp_proto.c. + 20241112 Logging: the cleanup server now logs "queueid: removed @@ -28879,6 +28886,37 @@ Apologies for any names omitted. Cleanup: memory leaks in test code. Files: util/hex_code.c, util/argv.c. +20250119 + + Non-production REQUIRETLS branch: configuration parameter + "requiretls_enable" (default: yes). Files: cleanup/cleanup_api.c, + global/cleanup_strflags.c, global/post_mail.c, global/post_mail.c, + global/ehlo_mask.[hc], global/ehlo_mask_test.c, local/forward.c, + smtpd/smtpd.c, smtp/smtp_connect.c, smtp/smtp_proto.c. + +20250120 + + Non-production REQUIRETLS branch: After a certificate check + fails, or a remote SMTP server does not announce REQUIRETLS + support, the Postfix SMTP client will override the RFC 8689 + 5.x.x. status and treat it as a soft error, until there + are no more alternate MX servers to try. Files: smtp/smtp.h, + smtp/smtp_proto.c, smtp/smtp_trouble.c. + +20250122 + + Non-production REQUIRETLS branch: new Postfix sendmail + command option "-O requiretls" to request that deliveries + over SMTP use the REQUIRETLS extension. The string "requiretls" + is case-insensitive. Files: sendmail/sendmail.c, + global/rec_types.h, pickup/pickup.c. + + Non-production REQUIRETLS branch: new Postfix sendmail + command option "-O smtputf8" to request that deliveries + over SMTP use the SMTPUTF8 extension. This reuses logic + that was introduced for REQUIRETLS. The string "smtputf8" + is case-insensitive. Files: sendmail/sendmail.c. + 20250127 Cleanup: broken non-TLS builds because of a missing #ifdef @@ -28932,7 +28970,7 @@ Apologies for any names omitted. Documentation: updated TLSRPT_README, added postfix-tlspol policy plugin, deprecated the policy_ttl attribute. File: proto/TLSRPT_README.html. - + 20250207 Performance: when a mysql: or pgsql: configuration specifies @@ -29576,6 +29614,14 @@ Apologies for any names omitted. commands with "bad syntax" and "bad UTF-8 syntax" errors. File: smtpd/smtpd.c. +20250818 + + Non-production REQUIRETLS branch: infrastructure that will + use message headers to propagate REQUIRETLS through non-Milter + content filters. Files: global/x_esmtp_verb.[hc], + global/x_esmtp_verb_test.c. This was later renamed to + requiretls_esmtp_header (no smtputf8 support). + 20250819 Bugfix: the 20250717 workaround broke DBM library support @@ -29587,6 +29633,33 @@ Apologies for any names omitted. posttls-finger logged a zero port number. Viktor Dukhovni. File: posttls-finger/posttls-finger.c. +20250824 + + Non-production REQUIRETLS branch: when a message needs to + be delivered with SMTPUTF8, but a remote server does not + support it, try an alternate server. File: smtp/smtp_proto.c. + + Non-production REQUIRETLS branch: better handling of line + breaks in indented paragraphs in the postconf(5) conversion + from HTML to 'man' format. File: mantools/postconf2man. + + Non-production REQUIRETLS branch: requiretls_redact_dsn + (default: yes) as described in RFC 8689 section 5, to produce + bounce messages that don't need REQUIRETLS support on every + hop in the return path. Files: proto/postconf.proto, + global/mail_params.h, bounce/bounce.c. + + Non-production REQUIRETLS branch: smtp_requiretls_policy + and lmtp_requiretls_policy for responsible REQUIRETLS policy + enforcement. Files: proto/postconf.proto, global/mail_params.h, + smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_connect.c, + smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c, + smtp/smtp_reqtls_policy.c, smtp/smtp_reqtls_policy.h, + smtp/smtp_reqtls_policy_test.c, smtp/smtp_state.c. + + Non-production REQUIRETLS branch: cleaned up some test code. + Files: util/inet_prefix_top.c, util/inet_addr_list.c. + 20250825 Bugfix (defect introduced: 20250626): panic() in dict_register() @@ -29594,6 +29667,20 @@ Apologies for any names omitted. changed the name of a dictionary on-the-fly by skipping a proxy: prefix). File: util/dict_open.c. +20250826 + + Non-production REQUIRETLS branch: renamed all the new + identifiers introduced for REQUIRETLS support to ...REQTLS... and + ...reqtls... and re-indented the code. minimize differences with + the production release. + +20250827 + + Non-production REQUIRETLS branch: logic to skip destinations + whose TLS policy level cannot satisfy the REQUIRETLS policy, + or to log what would fail if REQUIRETLS were fully enforced. + File: smtp/smtp_connect.c. + 20250906 Workaround for an interface mis-match between the Postfix @@ -29615,6 +29702,26 @@ Apologies for any names omitted. smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_params.c, smtp/smtp_tls_policy.c, smtp/smtp_tls_policy_test.c. +20250910 + + Non-production REQUIRETLS branch: TLS feature policy + status logging in delivery status logging. This shows the + TLS security level enforcement status and, if a message + requests REQUIRETLS, the REQUIRETLS policy enforcement + status. Files: .indent.pro, cleanup/cleanup_bounce.c, + cleanup/cleanup_out_recipient.c, discard/discard.c, error/error.c, + global/Makefile.in, global/bounce.c, global/bounce.h, + global/defer.c, global/defer.h, global/deliver_pass.c, + global/log_adhoc.c, global/log_adhoc.h, global/mail_version.h, + global/reject_deliver_request.c, global/sent.c, global/sent.h, + global/tls_stats.c, global/tls_stats.h, global/trace.c, + global/trace.h, global/verify.c, global/verify.h, local/local.h, + oqmgr/qmgr_bounce.c, oqmgr/qmgr_defer.c, oqmgr/qmgr_message.c, + pipe/pipe.c, qmgr/qmgr_bounce.c, qmgr/qmgr_defer.c, + qmgr/qmgr_message.c, smtp/smtp.h, smtp/smtp_connect.c, + smtp/smtp_proto.c, smtp/smtp_rcpt.c, smtp/smtp_state.c, + smtp/smtp_trouble.c, virtual/virtual.h. + 20250911 Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP @@ -29629,6 +29736,44 @@ Apologies for any names omitted. required but the server does not support that feature. Files: smtp/smtp.h, smtp/smtp_key.c, smtp/smtp_proto.c. + Non-production REQUIRETLS branch: Include the REQUIRETLS + enforcement level in the SMTP connection cache storage key and + cached connection properties, and don't cache connections that + don't satisfy connection requirements. Files: smtp/smtp.h, + smtp/smtp_key.c, smtp_proto.c, smtp/smtp_trouble.c. + +20250914 + + Non-production REQUIRETLS branch: smtp_log_tls_feature_status + logging now shows the initial and final security levels for a + relaxed feature, for example dane:encrypt when opportunistic + 'dane' is downgraded to 'encrypt' after all TLSA records + were found to be unusable. Files: proto/postconf.proto, + global/log_adhoc.c, global/pol_stats.c, global/pol_stats.h, + global/pol_stats_test.c, smtp/smtp.h, smtp/smtp_connect.c, + smtp/smtp_proto.c. + +20250916 + + Non-production REQUIRETLS branch: support for a + "Require-TLS-ESMTP: yes" header to propagate an ESMTP REQUIRETLS + request through a FILTER_README or SMTPD_PROXY_README style + content filter. This header is detected or added by the + cleanup daemon. This feature is enabled by default with + "requiretls_esmtp_header = yes". The Require-TLS-ESMTP header + will be visible to local and remote recipients. This feature can + safely be disabled when a configuration does not use REQUIRETLS, + or does not use FILTER_README or SMTPD_PROXY_README style content + filters. Files: cleanup/cleanup.c, cleanup/cleanup_message.c, + global/header_opts.[hc]. + +20250917 + + Non-production REQUIRETLS branch: SMTP server support to add + a "Require-TLS-ESMTP: yes" header to messages received with + REQUIRETLS when they are sent through an SMTPD_PROXY_README + style content filter. Files: smtpd/smtpd.c, smtp/smtpd_proto.c. + 20250919 Cleanup: unnecessary header parsing code. Viktor Dukhovni. @@ -29643,14 +29788,43 @@ Apologies for any names omitted. the stock main.cf file. Problem diagnosed by Eray Aslan. File: conf/main.cf. -20240924 +2025921 + Non-production REQUIRETLS branch: with TLS policy status + logging, always log the actual REQUIRETLS state. For example, + when the TLS security level "encrypt" disables certificate + matches, then that is a policy violation for strict REQUIRETLS + enforcement (logged as "!requiretls:nocertmatch"), while + that is permitted with opportunistic REQUIRETLS (logged as + "requiretls:nocertmatch"). Files: proto/postconf.proto, + global/pol_stats.c, global/pol_stats_test.c, smtp/smtp.h, + smtp/smtp_connect.c, smtp/smtp_proto.c. + +2025922 + + Non-production REQUIRETLS branch: more testing and quality + control, resulting in various code and documentation fixes + for TLS feature status logging. Files: smtp/smtp_connect.c, + proto/postconf.proto. + +20240924 + TLSRPT Workaround: when policies[*].policy.policy-type is "no-policy-found", report the TLSRPT policy domain name as the policies[*].policy.policy-domain value. This ignores that TLSA policies must be reported with different policy-domain values than STS policies. File: tls/tlsrpt_wrapper.c. + Non-production REQUIRETLS branch: restore deleted support for the + "sendmail -O requiretls=yes|no command-line option", and support + for preliminary SIZE records in showq and postcat. Files: + sendmail/sendmail.c, global/rec_types.h, postcat/postcat.c, + showq/showq.c. Ditto for "sendmail -O smtputf8=yes|no". + + Non-production REQUIRETLS branch: simplified the policy + status management API and removed unused code. Files: + global/pol_stats.[hc], global/pol_stats_test.c. + 20250927 Updated documentation for smtp_tls_enforce_sts_mx_patterns. @@ -29662,6 +29836,13 @@ Apologies for any names omitted. with the smtp_cname_overrides_servername setting. File: smtp/smtp_connect.c. + Non-production REQUIRETLS branch: by default enforce REQUIRETLS + fully for remote destinations; better default patterns to + exclude local destinations from REQUIRETLS enforcement. Files: + global/mail_params.h. mantools/postconf2man, proto/postconf.proto, + proto/REQUIRETLS_README.html, smtp/smtp_reqtls_policy.c, + smtp/smtp_reqtls_policy_test.c. + 20251001 Cleanup: missing stdlib.h include. Viktor Dukhovni. File: @@ -29791,6 +29972,16 @@ Apologies for any names omitted. Testing: fix bitrot in TLS DANE tests. Viktor Dukhovni. Files: tls/tls_dane.c, tls/tls_dane.sh. + Non-production REQUIRETLS branch: Make the smtp_requiretls_policy + searches deterministic by converting an internationalized next-hop + domain to ASCII form before querying the policy. In the default + policy, specify ${domain_to_ascii{$mydomain}} which returns + Punycode when $mydomain contains non-ASCII, and which otherwise + returns $mydomain. Files: mantools/postlink, proto/postconf.proto, + proto/REQUIRETLS_README.html, global/mail_params.[hc], + util/mac_midna.[hc], util/mac_expand.[hc], util/mac_expand.in, + util/mac_expand.ref, proto/postconf.*.proto, proto/Makefile.in. + 20251104 Feature: non_empty_end_of_header_action specifies the @@ -29807,3 +29998,28 @@ Apologies for any names omitted. Documentation: in OVERVIEW_README, added a missing link between smtpd(8) and trivial-rewrite(8). File: proto/OVERVIEW_README.html. + +20251114 + + Documentation: added 'halfdane' to the TLS status logging + documentation. File: proto/postconf.proto. + + Bugfix (defect introduced: Postfix 2.8, date: 20110107): + the postscreen_reject_footer parameter did not support the + form ${smtpd_reject_footer}. Problem reported by pgnd. The + postscreen_expansion_filter parameter had the same problem. + File: postscreen/postscreen.c. + + Cleanup: strip whitespace around the value in ${ function + { value } }. Files: util/mac_expand.c, util/mac_expand.in, + util/mac_expand.ref. + + Merged the non-production REQUIRETLS branch. + +TODO + + Decide whether or how to enable REQUIRETLS for non-SMTP + inputs: qmqpd.c ot pickup (sendmail). The smtputf8 auto-detect + strategy is not applicable because REQUIRETLS trumps + "TLS-Required: no". It should be easy for sendmail submissions + to choose whether TLS shall be required or optional. diff --git a/postfix/README_FILES/AAAREADME b/postfix/README_FILES/AAAREADME index d3b0817ea..12c1b2579 100644 --- a/postfix/README_FILES/AAAREADME +++ b/postfix/README_FILES/AAAREADME @@ -14,6 +14,7 @@ GGeenneerraall ccoonnffiigguurraattiioonn * TLSRPT_README: TLSRPT Protocol Support * IPV6_README: IP Version 6 Support * SMTPUTF8_README: SMTPUTF8 Support + * REQUIRETLS_README: REQUIRETLS Support * MAILLOG_README: Postfix logging to file or stdout * COMPATIBILITY_README: Backwards-Compatibility Safety Net * DEPRECATION_README: Deprecated features and alternatives diff --git a/postfix/README_FILES/REQUIRETLS_README b/postfix/README_FILES/REQUIRETLS_README new file mode 100644 index 000000000..0078447d1 --- /dev/null +++ b/postfix/README_FILES/REQUIRETLS_README @@ -0,0 +1,418 @@ +PPoossttffiixx RREEQQUUIIRREETTLLSS SSuuppppoorrtt + +------------------------------------------------------------------------------- + +TTaabbllee ooff CCoonntteennttss + + * Introduction + * REQUIRETLS for a perimeter MTA + + o Receiving inbound messages with REQUIRETLS requests + o LMTP and SMTP-based message stores and content filters content filters + o Non-SMTP and non-LMTP content filters + o Communication with external servers + o Relaxing REQUIRETLS for external deliveries + + * An experiment: testing REQUIRETLS support + * Requesting REQUIRETLS without SMTP + * Non-delivery notifications + * REQUIRETLS quick summary + * Credits + +IInnttrroodduuccttiioonn + +(For background information, see below for a REQUIRETLS quick summary.) + +This document covers the Postfix default settings for using the REQUIRETLS +extension. The purpose of these defaults is to make REQUIRETLS support usable +in an existing environment, with a path towards the future. + +The main issues with deploying REQUIRETLS are a lack of support in existing +infrastructure: + + * REQUIRETLS requires that server certificates are authenticated. When email + is sent across the Internet, this involves a DANE or MTA-STS policy that is + published by a mail receiving domain, using DNSSEC or HTTPS. At this time, + many domains do not publish such a policy. + + * REQUIRETLS is historically not supported by existing local infrastructure + such as internal message stores or Postfix content filters, and may be + over-kill for connections that happen behind a perimeter MTA within a + trusted internal network. + +RREEQQUUIIRREETTLLSS ffoorr aa ppeerriimmeetteerr MMTTAA + +In this text, a perimeter MTA is a mail system that operates on the boundary of +an administrative domain. It receives email messages for the domain, and/or +delivers email messages on behalf of the domain. + +RReecceeiivviinngg iinnbboouunndd mmeessssaaggeess wwiitthh RREEQQUUIIRREETTLLSS rreeqquueessttss + +Postfix has one global parameter setting that controls REQUIRETLS support in +all Postfix processes. The default setting is: + + /etc/postfix/main.cf: + requiretls_enable = yes + +With this, the Postfix SMTP server will announce REQUIRETLS support, and more +importantly, will receive messages from senders that for some reason request +REQUIRETLS support -- messages that you would otherwise not receive, assuming +that the domain already publishes a valid DANE and/or STS policy. + +If all you need is to receive messages with REQUIRETLS, and you do not insist +on enforcing REQUIRETLS when sending or forwarding messages, then you can stop +reading this document after adding the additional settings below. + + NOTE: The configuration below may be suitable for a personal domain, where + the owner can decide what happens with all messages. For domains that + receive messages for other people, a less radical approach may be better, + as described in the sections that follow. + + 1 /etc/postfix/main.cf: + 2 # Don't enforce REQUIRETLS when delivering mail with SMTP or LMTP. + 3 smtp_requiretls_policy = opportunistic + 4 lmtp_requiretls_policy = opportunistic + 5 + 6 # Don't detect or add a "Require-TLS-ESMTP: yes" header. + 7 requiretls_esmtp_header = no + + * Lines 3-4: These relax REQUIRETLS enforcement when delivering a email to a + message store, content filter, or other destination that may not support + REQUIRETLS. If a server does not support STARTTLS or REQUIRETLS, then + Postfix will simply deliver the message as if the sender did not request + REQUIRETLS. + + * Line 7: The requiretls_esmtp_header feature enables support for a message + header "Require-TLS-ESMTP: yes" that allows Postfix to propagate the + sender's REQUIRETLS request through a content filter based on + SMTPD_PROXY_README or FILTER_README. This feature can safely be disabled if + the domain does not need to enforce REQUIRETLS while delivering or + forwarding messages. + +LLMMTTPP aanndd SSMMTTPP--bbaasseedd mmeessssaaggee ssttoorreess aanndd ccoonntteenntt ffiilltteerrss + +REQUIRETLS is historically not supported by message stores such as Dovecot, and +by content filters based on FILTER_README or SMTPD_PROXY_README. The settings +below allow for that reality, while also preparing for future REQUIRETLS +support. + +The Postfix SMTP (LMTP) client supports a permissive REQUIRETLS policy that is +suitable for communication with internal message stores and content filters +based on FILTER_README or SMTPD_PROXY_README. + + * ooppppoorrttuunniissttiicc: STARTTLS and REQUIRETLS support are optional. When the + sender requests REQUIRETLS, and an SMTP or LMTP server supports STARTTLS + and REQUIRETLS, then send REQUIRETLS, otherwise simply deliver the message + as if the sender did not request REQUIRETLS. + +For a more complete definition of this enforcement level, see the +smtp_requiretls_policy parameter documentation. + +For REQUIRETLS, the relevant Postfix 3.11 configuration default settings are: + + 1 /etc/postfix/main.cf: + 2 smtp_tls_security_level = may + 3 requiretls_esmtp_header = yes + 4 lmtp_requiretls_policy = opportunistic + 5 smtp_requiretls_policy = + 6 inline:{ + 7 {${domain_to_ascii{$mydomain}} = opportunistic} + 8 {.${domain_to_ascii{$mydomain}} = opportunistic} + 9 {localhost = opportunistic} } + 10 cidr:{ + 11 {0.0.0.0/0 opportunistic} + 12 {::/0 opportunistic} } + 13 ...to be completed in section "Communication with external + servers"... + + * Line 3: The requiretls_esmtp_header setting enables support for a message + header "Require-TLS-ESMTP: yes" that allows Postfix to propagate the + sender's REQUIRETLS request through a content filter. This feature can + safely be disabled if there is no need for content inspection based on + SMTPD_PROXY_README or FILTER_README. + + * Lines 5-12: These make REQUIRETLS support optional for internal + destinations and content filters that are specified as a symbolic name + (lines 6-9) or as a numerical IP address (lines 10-12). + + * Lines 7 and 8 use ${domain_to_ascii{$mydomain}} instead of $mydomain. The + function domain_to_ascii{} returns $mydomain if that contains only (7-bit) + ASCII. If the mydomain value contains non-ASCII characters, then + domain_to_ascii{} returns the xn--mumble-mumble Punycode (A-label) form + that Postfix needs. This works around a limitation that may be eliminated + in a future Postfix version. + + * Note: if you specify a domain list outside main.cf, then the automatic + $name expansions and Punycode conversions will not happen; you will need to + enter real domain names and will need to convert non-ASCII domains to + Punycode. + +NNoonn--SSMMTTPP aanndd nnoonn--LLMMTTPP ccoonntteenntt ffiilltteerrss + +Postfix FILTER_README describes content inspection based on a pipe-to-command +approach. For REQUIRETLS, the relevant Postfix 3.11 default setting is: + + /etc/postfix/main.cf: + requiretls_esmtp_header = yes + +The requiretls_esmtp_header feature enables support for a message header +"Require-TLS-ESMTP: yes" that allows Postfix to propagate the sender's +REQUIRETLS request through a content filter. This feature can safely be +disabled if there is no need for content inspection based on SMTPD_PROXY_README +or FILTER_README. + +CCoommmmuunniiccaattiioonn wwiitthh eexxtteerrnnaall sseerrvveerrss + +For communication with external servers, the Postfix SMTP client supports +multiple enforcement levels: + + * eennffoorrccee: When the sender requests REQUIRETLS, require secure lookup of MX + hosts (for example, using DNSSEC or HTTPS), require a server certificate + match (for example, based on a published DANE or STS policy), and require + that the remote server supports REQUIRETLS. Otherwise return the message as + undeliverable. + + NOTE: this is also used implicitly when no REQUIRETLS policy match is + found. + + * ooppppoorrttuunniissttiicc++ssttaarrttttllss: When the sender requests REQUIRETLS, require that + the server supports STARTTLS. Send REQUIRETLS if the server supports + REQUIRETLS, otherwise simply deliver the message as if the sender did not + request REQUIRETLS. + + * ooppppoorrttuunniissttiicc: STARTTLS and REQUIRETLS support are optional. When the + sender requests REQUIRETLS, and an SMTP or LMTP server supports STARTTLS + and REQUIRETLS, then send REQUIRETLS, otherwise simply deliver the message + as if the sender did not request REQUIRETLS. + +For a more complete definition of these enforcement levels, see the +smtp_requiretls_policy parameter documentation. + +For sending mail with REQUIRETLS, the relevant Postfix 3.11 default settings +are shown below, with one suggested setting in a comment (line 2). + +The default settings below complete the earlier configuration for message +stores and content filters, with an 'enforce' policy for external deliveries +(line 13). You can disable the requiretls_esmtp_header feature (line 4) if a +configuration does not use content inspection based on SMTPD_PROXY_README or +FILTER_README. + + 1 /etc/postfix/main.cf: + 2 # smtp_tls_policy_maps = ...dane/sts plugin... + 3 smtp_tls_security_level = may + 4 requiretls_esmtp_header = yes + 5 smtp_requiretls_policy = + 6 inline:{ + 7 {${domain_to_ascii{$mydomain}} = opportunistic} + 8 {.${domain_to_ascii{$mydomain}} = opportunistic} + 9 {localhost = opportunistic} } + 10 cidr:{ + 11 {0.0.0.0/0 opportunistic} + 12 {::/0 opportunistic} } + 13 enforce + + * New at line 13: The 'enforce' policy for external destinations is + technically correct, but is likely to suffer from delivery failures because + many domains do not publish a DANE or STS policy, and many MTAs support + STARTTLS but not REQUIRETLS. A perhaps more practical policy may be found + in the section Relaxing REQUIRETLS for external deliveries. + + * (Same as before) Line 3: The requiretls_esmtp_header setting enables + support for a message header "Require-TLS-ESMTP: yes" that allows Postfix + to propagate the sender's REQUIRETLS request through a content filter. This + feature can safely be disabled if there is no need for content inspection + based on SMTPD_PROXY_README or FILTER_README. + + * (Same as before) Lines 5-12: These make REQUIRETLS support optional for + internal destinations and content filters that are specified as a symbolic + name (lines 6-9) or as a numerical IP address (lines 10-12). + + * (Same as before) Lines 7 and 8 use ${domain_to_ascii{$mydomain}} instead of + $mydomain. The function domain_to_ascii{} returns $mydomain if that + contains only (7-bit) ASCII. If the mydomain value contains non-ASCII + characters, then domain_to_ascii{} returns the xn--mumble-mumble Punycode + (A-label) form that Postfix needs. This works around a limitation that may + be eliminated in a future Postfix version. + + * (Same as before) Note: if you specify a domain list outside main.cf, then + the automatic $name expansions and Punycode conversions will not happen; + you will need to enter real domain names and will need to convert non-ASCII + domains to Punycode.) + +RReellaaxxiinngg RREEQQUUIIRREETTLLSS ffoorr eexxtteerrnnaall ddeelliivveerriieess + +It may be desirable to make REQUIRETLS work with today's infrastructure, by +keeping the requirement for TLS, but relaxing the requirements that a remote +server supports REQUIRETLS and that its server certificate matches a DANE or +STS policy. The configuration below makes that change by replacing the default +'enforce' with 'opportunistic+starttls' (line 13). + + 1 /etc/postfix/main.cf: + 2 smtp_tls_security_level = may + 3 # smtp_tls_policy_maps = ...dane/sts plugin... + 4 requiretls_esmtp_header = yes + 5 smtp_requiretls_policy = + 6 inline:{ + 7 {${domain_to_ascii{$mydomain}} = opportunistic} + 8 {.${domain_to_ascii{$mydomain}} = opportunistic} + 9 {localhost = opportunistic} } + 10 cidr:{ + 11 {0.0.0.0/0 opportunistic} + 12 {::/0 opportunistic} } + 13 opportunistic+starttls + + * New at line 13: the 'opportunistic+starttls' policy relaxes the requirement + that every MTA in the forward path of a message supports REQUIRETLS, but in + practice only one network hop needs to be secured: from a sender's + perimeter MTA to a receiver's perimeter MTA. The network connections + between user agents and their respective perimeters are assumed to be + already secure. + + * (Same as before) Line 3: The requiretls_esmtp_header setting enables + support for a message header "Require-TLS-ESMTP: yes" that allows Postfix + to propagate the sender's REQUIRETLS request through a content filter. This + feature can safely be disabled if there is no need for content inspection + based on SMTPD_PROXY_README or FILTER_README. + + * (Same as before) Lines 5-12: These make REQUIRETLS support optional for + internal destinations and content filters that are specified as a symbolic + name (lines 6-9) or as a numerical IP address (lines 10-12). + + * (Same as before) Lines 7 and 8 use ${domain_to_ascii{$mydomain}} instead of + $mydomain. The function domain_to_ascii{} returns $mydomain if that + contains only (7-bit) ASCII. If the mydomain value contains non-ASCII + characters, then domain_to_ascii{} returns the xn--mumble-mumble Punycode + (A-label) form that Postfix needs. This works around a limitation that may + be eliminated in a future Postfix version. + + * (Same as before) Note: if you specify a domain list outside main.cf, then + the automatic $name expansions and Punycode conversions will not happen; + you will need to enter real domain names and will need to convert non-ASCII + domains to Punycode.) + +AAnn eexxppeerriimmeenntt:: tteessttiinngg RREEQQUUIIRREETTLLSS ssuuppppoorrtt + +The 'opportunistic' enforcement level may be useful to discover REQUIRETLS +support globally. The idea is to turn on REQUIRETLS for all outbound mail, and +watch in Postfix TLS status logging how often delivery is logged as +"requiretls" (all requirements satisfied), "requiretls:nocertmatch" (no DANE or +STS policy, or certificate not trusted or not matched), "requiretls:none" (no +REQUIRETLS support), or "requiretls:nostarttls". For more details on this +logging format, see smtp_log_tls_feature_status. + +RReeqquueessttiinngg RREEQQUUIIRREETTLLSS wwiitthhoouutt SSMMTTPP + +There are two options: + + * Specify the Postfix-specific "sseennddmmaaiill --OOrreeqquuiirreettllss==yyeess" command-line + option. This option is always available, but may not be convenient to use. + + * Add a Postfix-specific "RReeqquuiirree--TTLLSS--EESSMMTTPP:: yyeess" message header. This is + easier to use, but requires the setting "requiretls_esmtp_header = yes" + which is not recommended for systems without content filters based on + SMTPD_PROXY_README or FILTER_README. + + QQuueessttiioonn: perhaps there needs to be a parameter setting to request + REQUIRETLS for specific email sources or contexts? + +NNoonn--ddeelliivveerryy nnoottiiffiiccaattiioonnss + +By default, Postfix redacts an undeliverable REQUIRETLS message as described in +RFC 8689, before returning it to the sender: + + * Remove the label "this message needs REQUIRETLS". The purpose is to avoid + loss of notifications when a reverse path does not support REQUIRETLS, even + though the forward path supported it. + + * Return only the message header, as if the message was received with the RFC + 3461 DSN option "RET=HDRS". The purpose is to limit the amount of + information that may be exposed in plaintext. + +The relevant default setting is: + + /etc/postfix/main.cf: + requiretls_redact_dsn = yes + +When a message was received with a "TLS-Required: no" header, and REQUIRETLS +was not requested, the "TLS-Required: no" header is copied to the delivery +status notification. + +RREEQQUUIIRREETTLLSS qquuiicckk ssuummmmaarryy + +The REQUIRETLS extension in ESMTP allows a sender to request that a message +will be sent over connections that are protected with TLS. RFC 8689 defines two +SMTP features: + + * A message header "TLS-Required: no" that disables TLS enforcement: do not + require a server certificate match, and allow falling back to plaintext if + TLS is unavailable. This may be useful to report a TLS problem, as + described in TLSRPT_README. This feature has lower precedence than + REQUIRETLS, and is not discussed further in this document. + + * An ESMTP protocol extension named "REQUIRETLS" that an SMTP server may list + in its EHLO response, and that an SMTP client may request in a MAIL FROM + command. This extension can be used only in an encrypted session, as + illustrated with the fragment below, where C=client and S=server. + + . . . + C: STARTTLS + S: 220 Ready to start TLS + C: EHLO client.example.org + S: 250-mail.example.com + . . . + 250 REQUIRETLS + C: MAIL FROM: REQUIRETLS + S: 250 OK + . . . + + * RFC 8689 applies equally to message relay [RFC 5321], submission [RFC + 6409], and the LMTP Local Mail Transfer Protocol [RFC 2033]. + + * REQUIRETLS is an end-to-end feature, unlike SMTP which is hop-by-hop. When + a sender requests REQUIRETLS, each MTA in the forward path must support + REQUIRETLS. + + * Each connection in the forward path must be made to an MX server that has + been looked up securely (for example, with DNSSEC or HTTPS). + + * Each server certificate must be verified. To match a server certificate, + the Postfix SMTP client needs to use an appropriate policy type: + + o A TLS policy type 'secure' or 'verify', with certificate name matching + info. For example, a policy returned by an MTA-STS plugin that looks up + certificate matching info using HTTPS; + + o A TLS policy type 'dane-only', which looks up certificate or public-key + matching info using DNSSEC. For example, a policy that is returned by a + DANE+STS plugin; + + o A TLS policy type 'dane', provided that both the nexthop domain and its + MX hosts are in DNSSEC-signed zones, and usable DNSSEC-signed TLSA + records are discovered. In other words, the effective TLS policy + remains DANE and is not downgraded because the destination lacks DNSSEC + and/or usable TLSA records; + + o A TLS policy type 'fingerprint', with digital fingerprints. This is a + non-scalable solution for special deployments, mentioned here only for + completeness. + + * A message that requires REQUIRETLS must be returned to the sender if any of + the above requirements is not satisfied (no STARTTLS support, no secure + lookup of MX servers, no trusted or no matching server certificate, or no + server that announces REQUIRETLS support). + + * Returning an undeliverable message that requires REQUIRETLS comes with its + own challenges: the return path may differ from the forward path, and the + return path may not support REQUIRETLS all the way back to the sender, even + if the forward path supported REQUIRETLS. + +CCrreeddiittss + + * In Postfix 3.10, Wietse Venema refactored SMTPUTF8 support and extended it + to propagate REQUIRETLS and "TLS-Required: no" information. + * In Postfix 3.11, Wietse added REQUIRETLS support to the Postfix SMTP + client; added a "tls=status/requiretls=status" field to the Postfix + delivery status logging; added smtp_requiretls_policy support; added + support for the "Require-TLS-ESMTP: yes" header to propagate REQUIRETLS + through non-Postfix programs, specifically content filters. + diff --git a/postfix/conf/postfix-files b/postfix/conf/postfix-files index 2467af478..0d3ae7946 100644 --- a/postfix/conf/postfix-files +++ b/postfix/conf/postfix-files @@ -320,6 +320,7 @@ $readme_directory/QMQP_README:f:root:-:644:o $readme_directory/QSHAPE_README:f:root:-:644 $readme_directory/RELEASE_NOTES:f:root:-:644 $readme_directory/RESTRICTION_CLASS_README:f:root:-:644 +$readme_directory/REQUIRETLS_README:f:root:-:644 $readme_directory/SASL_README:f:root:-:644 $readme_directory/SCHEDULER_README:f:root:-:644 $readme_directory/SMTPD_ACCESS_README:f:root:-:644 @@ -383,6 +384,7 @@ $html_directory/POSTSCREEN_README.html:f:root:-:644 $html_directory/QMQP_README.html:f:root:-:644:o $html_directory/QSHAPE_README.html:f:root:-:644 $html_directory/RESTRICTION_CLASS_README.html:f:root:-:644 +$html_directory/REQUIRETLS_README.html:f:root:-:644 $html_directory/SASL_README.html:f:root:-:644 $html_directory/SCHEDULER_README.html:f:root:-:644 $html_directory/SMTPD_ACCESS_README.html:f:root:-:644 diff --git a/postfix/html/REQUIRETLS_README.html b/postfix/html/REQUIRETLS_README.html new file mode 100644 index 000000000..70ab2bd49 --- /dev/null +++ b/postfix/html/REQUIRETLS_README.html @@ -0,0 +1,553 @@ + + + + + + +Postfix REQUIRETLS Support + + + + + + + + +

Postfix REQUIRETLS Support

+ +
+ +

Table of Contents

+ + +

Introduction

+ +

(For background information, see below for a +REQUIRETLS quick summary.)

+ +

This document covers the Postfix default settings for using the +REQUIRETLS extension. The purpose of these defaults is to make REQUIRETLS +support usable in an existing environment, with a path towards the +future.

+ +

The main issues with deploying REQUIRETLS are a lack of support in +existing infrastructure:

+ + + +

REQUIRETLS for a perimeter MTA

+ +

In this text, a perimeter MTA is a mail system that operates +on the boundary of an administrative domain. It receives email +messages for the domain, and/or delivers email messages on behalf +of the domain.

+ +

Receiving inbound messages with REQUIRETLS requests

+ +

Postfix has one global parameter setting that controls REQUIRETLS +support in all Postfix processes. The default setting is: + +

+
+/etc/postfix/main.cf:
+    requiretls_enable = yes
+
+
+ +

With this, the Postfix SMTP server will announce REQUIRETLS +support, and more importantly, will receive messages from senders +that for some reason request REQUIRETLS support -- messages that +you would otherwise not receive, assuming that the domain already +publishes a valid DANE and/or STS policy.

+ +

If all you need is to receive messages with REQUIRETLS, and +you do not insist on enforcing REQUIRETLS when sending or forwarding +messages, then you can stop reading this document after adding the +additional settings below.

+ +

NOTE: The configuration below may be suitable for +a personal domain, where the owner can decide what happens with all +messages. For domains that receive messages for other people, a +less radical approach may be better, as described in the sections +that follow.

+ +
+
+1 /etc/postfix/main.cf:
+2     # Don't enforce REQUIRETLS when delivering mail with SMTP or LMTP.
+3     smtp_requiretls_policy = opportunistic
+4     lmtp_requiretls_policy = opportunistic
+5     
+6     # Don't detect or add a "Require-TLS-ESMTP: yes" header.
+7     requiretls_esmtp_header = no
+
+
+ + + +

LMTP and SMTP-based message stores and content filters

+ +

REQUIRETLS is historically not supported by message stores such +as Dovecot, and by content filters based on FILTER_README or +SMTPD_PROXY_README. The settings below allow for that reality, while +also preparing for future REQUIRETLS support.

+ +

The Postfix SMTP (LMTP) client supports a permissive REQUIRETLS +policy that is suitable for communication with internal message stores +and content filters based on FILTER_README or SMTPD_PROXY_README.

+ + + +

For a more complete definition of this enforcement level, see +the smtp_requiretls_policy parameter documentation.

+ +

For REQUIRETLS, the relevant Postfix 3.11 configuration default +settings are:

+ +
+
+ 1 /etc/postfix/main.cf:
+ 2     smtp_tls_security_level = may
+ 3     requiretls_esmtp_header = yes
+ 4     lmtp_requiretls_policy = opportunistic
+ 5     smtp_requiretls_policy =
+ 6         inline:{
+ 7             {${domain_to_ascii{$mydomain}} = opportunistic}
+ 8             {.${domain_to_ascii{$mydomain}} = opportunistic}
+ 9             {localhost = opportunistic} }
+10         cidr:{
+11             {0.0.0.0/0 opportunistic}
+12             {::/0 opportunistic} }
+13       ...to be completed in section "Communication with external servers"...
+
+
+ + + +

Non-SMTP and non-LMTP content filters

+ +

Postfix FILTER_README describes content inspection based on a +pipe-to-command approach. For REQUIRETLS, the relevant Postfix 3.11 +default setting is:

+ +
+
+/etc/postfix/main.cf:
+    requiretls_esmtp_header = yes
+
+
+ +

The requiretls_esmtp_header feature enables support for a message +header "Require-TLS-ESMTP: yes" that allows Postfix to propagate the +sender's REQUIRETLS request through a content filter. This feature can +safely be disabled if there is no need for content inspection based on +SMTPD_PROXY_README or FILTER_README.

+ +

Communication with external servers

+ +

For communication with external servers, the Postfix SMTP client +supports multiple enforcement levels:

+ + + +

For a more complete definition of these enforcement levels, +see the smtp_requiretls_policy parameter documentation.

+ +

For sending mail with REQUIRETLS, the relevant Postfix 3.11 +default settings are shown below, with one suggested setting in a +comment (line 2). + +

The default settings below complete the earlier configuration +for message stores and content filters, +with an 'enforce' policy for external deliveries (line 13). You can +disable the requiretls_esmtp_header feature (line 4) if a configuration +does not use content inspection based on SMTPD_PROXY_README or +FILTER_README.

+ +
+
+ 1 /etc/postfix/main.cf:
+ 2     # smtp_tls_policy_maps = ...dane/sts plugin...
+ 3     smtp_tls_security_level = may
+ 4     requiretls_esmtp_header = yes
+ 5     smtp_requiretls_policy =
+ 6         inline:{
+ 7             {${domain_to_ascii{$mydomain}} = opportunistic}
+ 8             {.${domain_to_ascii{$mydomain}} = opportunistic}
+ 9             {localhost = opportunistic} }
+10         cidr:{
+11             {0.0.0.0/0 opportunistic}
+12             {::/0 opportunistic} }
+13         enforce
+
+
+ + + +

Relaxing REQUIRETLS for external deliveries

+ +

It may be desirable to make REQUIRETLS work with today's +infrastructure, by keeping the requirement for TLS, but relaxing +the requirements that a remote server supports REQUIRETLS and that +its server certificate matches a DANE or STS policy. The configuration +below makes that change by replacing the default 'enforce' with +'opportunistic+starttls' (line 13).

+ +
+
+ 1 /etc/postfix/main.cf:
+ 2     smtp_tls_security_level = may
+ 3     # smtp_tls_policy_maps = ...dane/sts plugin...
+ 4     requiretls_esmtp_header = yes
+ 5     smtp_requiretls_policy =
+ 6         inline:{
+ 7             {${domain_to_ascii{$mydomain}} = opportunistic}
+ 8             {.${domain_to_ascii{$mydomain}} = opportunistic}
+ 9             {localhost = opportunistic} }
+10         cidr:{
+11             {0.0.0.0/0 opportunistic}
+12             {::/0 opportunistic} }
+13         opportunistic+starttls
+
+
+ + + +

An experiment: testing REQUIRETLS support

+ +

The 'opportunistic' enforcement level may be useful to discover +REQUIRETLS support globally. The idea is to turn on REQUIRETLS for +all outbound mail, and watch in Postfix TLS status logging how often +delivery is logged as "requiretls" (all requirements satisfied), +"requiretls:nocertmatch" (no DANE or STS policy, or certificate not +trusted or not matched), "requiretls:none" (no REQUIRETLS support), +or "requiretls:nostarttls". For more details on this logging format, +see smtp_log_tls_feature_status.

+ +

Requesting REQUIRETLS without SMTP

+ +

There are two options:

+ + + +
Question: perhaps there needs to be a parameter +setting to request REQUIRETLS for specific email sources or contexts? +
+ +

Non-delivery notifications

+ +

By default, Postfix redacts an undeliverable REQUIRETLS message as +described in RFC 8689, before returning it to the sender:

+ + + +

The relevant default setting is:

+ +
+
+/etc/postfix/main.cf:
+    requiretls_redact_dsn = yes
+
+
+ +

When a message was received with a "TLS-Required: no" +header, and REQUIRETLS was not requested, the "TLS-Required: +no" header is copied to the delivery status notification.

+ +

REQUIRETLS quick summary

+ +

The REQUIRETLS extension in ESMTP allows a sender to request +that a message will be sent over connections that are protected +with TLS. RFC 8689 defines two SMTP features:

+ + + +

Credits

+ + + + + + diff --git a/postfix/html/bounce.8.html b/postfix/html/bounce.8.html index 695478942..44f4b2608 100644 --- a/postfix/html/bounce.8.html +++ b/postfix/html/bounce.8.html @@ -172,6 +172,15 @@ BOUNCE(8) BOUNCE(8) Enable support for the "TLS-Required: no" message header, defined in RFC 8689. + Available in Postfix 3.11 and later: + + requiretls_redact_dsn (yes) + When sending a delivery status notification for an original mes- + sage received with the REQUIRETLS option, do not send the origi- + nal message body (as if that message was received with + "RET=HDRS") and do not enforce REQUIRETLS (as if that message + was received without REQUIRETLS). + FILES /var/spool/postfix/bounce/* non-delivery records /var/spool/postfix/defer/* non-delivery records diff --git a/postfix/html/cleanup.8.html b/postfix/html/cleanup.8.html index bc1a835c0..421543134 100644 --- a/postfix/html/cleanup.8.html +++ b/postfix/html/cleanup.8.html @@ -473,29 +473,33 @@ CLEANUP(8) CLEANUP(8) Enable support for the "TLS-Required: no" message header, defined in RFC 8689. + requiretls_esmtp_header (yes) + Record the ESMTP REQUIRETLS request in a "Require-TLS-ESMTP: + yes" message header. + MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging delay values. delay_warning_time (0h) - The time after which the sender receives a copy of the message + The time after which the sender receives a copy of the message headers of mail that is still queued. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -506,7 +510,7 @@ CLEANUP(8) CLEANUP(8) The internet hostname of this mail system. myorigin ($myhostname) - The domain name that locally-posted mail appears to come from, + The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. process_id (read-only) @@ -519,21 +523,21 @@ CLEANUP(8) CLEANUP(8) The location of the Postfix top-level queue directory. soft_bounce (no) - Safety net to keep mail queued that would otherwise be returned + Safety net to keep mail queued that would otherwise be returned to the sender. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix version 2.1 and later: enable_original_recipient (yes) - Enable support for the original recipient address after an - address is rewritten to a different address (for example with + Enable support for the original recipient address after an + address is rewritten to a different address (for example with aliasing or with canonical mapping). Available in Postfix 3.3 and later: @@ -544,14 +548,14 @@ CLEANUP(8) CLEANUP(8) Available in Postfix 3.5 and later: info_log_address_format (external) - The email address form that will be used in non-debug logging + The email address form that will be used in non-debug logging (info, warning, etc.). Available in Postfix 3.9 and later: force_mime_input_conversion (no) - Convert body content that claims to be 8-bit into quoted-print- - able, before header_checks, body_checks, Milters, and before + Convert body content that claims to be 8-bit into quoted-print- + able, before header_checks, body_checks, Milters, and before after-queue content filters. FILES diff --git a/postfix/html/defer.8.html b/postfix/html/defer.8.html index 695478942..44f4b2608 100644 --- a/postfix/html/defer.8.html +++ b/postfix/html/defer.8.html @@ -172,6 +172,15 @@ BOUNCE(8) BOUNCE(8) Enable support for the "TLS-Required: no" message header, defined in RFC 8689. + Available in Postfix 3.11 and later: + + requiretls_redact_dsn (yes) + When sending a delivery status notification for an original mes- + sage received with the REQUIRETLS option, do not send the origi- + nal message body (as if that message was received with + "RET=HDRS") and do not enforce REQUIRETLS (as if that message + was received without REQUIRETLS). + FILES /var/spool/postfix/bounce/* non-delivery records /var/spool/postfix/defer/* non-delivery records diff --git a/postfix/html/index.html b/postfix/html/index.html index bbe7794e7..c9d07330a 100644 --- a/postfix/html/index.html +++ b/postfix/html/index.html @@ -51,6 +51,8 @@ configuration examples
  • SMTPUTF8 Support +
  • REQUIRETLS Support +
  • Postfix logging to file or stdout
  • Backwards-Compatibility Safety Net diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 37a089ab1..a0bebb0e3 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -174,7 +174,7 @@ SMTP(8) SMTP(8) RFC 6531 (Internationalized SMTP) RFC 6533 (Internationalized Delivery Status Notifications) RFC 7672 (SMTP security via opportunistic DANE TLS) - RFC 8689 (TLS-Required message header) + RFC 8689 (SMTP REQUIRETLS extension, TLS-Required header) DIAGNOSTICS Problems and transactions are logged to syslogd(8) or postlogd(8). @@ -507,7 +507,7 @@ SMTP(8) SMTP(8) The delimiter between username and password in sasl_passwd_maps lookup results. -STARTTLS SUPPORT CONTROLS +TLS SUPPORT CONTROLS Detailed information about STARTTLS configuration may be found in the TLS_README document. @@ -773,41 +773,56 @@ SMTP(8) SMTP(8) an MX host only if its name matches any STS policy MX host pat- tern, and match the server certificate against the MX hostname. -OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + Available in Postfix version 3.11 and later: + + requiretls_enable (yes) + Enable support for the ESMTP verb "REQUIRETLS" in the "MAIL + FROM" command. + + smtp_requiretls_policy (see 'postconf -d smtp_requiretls_policy' out- + put) + How the Postfix SMTP and LMTP client will enforce REQUIRETLS for + messages received with the REQUIRETLS option. + + smtp_log_tls_feature_status (yes) + Enable logging of TLS feature information in delivery status + logging. + +OBSOLETE TLS CONTROLS + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host- + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host- name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec- + The Postfix SMTP client time limit for completing a TCP connec- tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -819,19 +834,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -845,13 +860,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -861,17 +876,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -885,23 +900,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera- + Time limit for connection cache connect, send or receive opera- tions. Available in Postfix version 2.9 - 3.6: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes- + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes- sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). Available in Postfix version 3.4 and later: @@ -912,13 +927,13 @@ SMTP(8) SMTP(8) Available in Postfix version 3.7 and later: smtp_per_request_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per plaintext or TLS read or write call, to a com- - bined time limit for sending a complete SMTP request and for + Change the behavior of the smtp_*_timeout time limits, from a + time limit per plaintext or TLS read or write call, to a com- + bined time limit for sending a complete SMTP request and for receiving a complete SMTP response. smtp_min_data_rate (500) - The minimum plaintext data transfer rate in bytes/second for + The minimum plaintext data transfer rate in bytes/second for DATA requests, when deadlines are enabled with smtp_per_request_deadline. @@ -926,54 +941,54 @@ SMTP(8) SMTP(8) transport_destination_concurrency_limit ($default_destination_concur- rency_limit) - A transport-specific override for the default_destination_con- + A transport-specific override for the default_destination_con- currency_limit parameter value, where transport is the master.cf name of the message delivery transport. transport_destination_recipient_limit ($default_destination_recipi- ent_limit) A transport-specific override for the default_destination_recip- - ient_limit parameter value, where transport is the master.cf + ient_limit parameter value, where transport is the master.cf name of the message delivery transport. SMTPUTF8 CONTROLS Preliminary SMTPUTF8 support is introduced with Postfix 3.0. smtputf8_enable (yes) - Enable preliminary SMTPUTF8 support for the protocols described + Enable preliminary SMTPUTF8 support for the protocols described in RFC 6531, RFC 6532, and RFC 6533. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci- + Detect that a message requires SMTPUTF8 support for the speci- fied mail origin classes. Available in Postfix version 3.2 and later: enable_idna2003_compatibility (no) - Enable 'transitional' compatibility between IDNA2003 and - IDNA2008, when converting UTF-8 domain names to/from the ASCII + Enable 'transitional' compatibility between IDNA2003 and + IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a nexthop destina- - tion, remote client or server name or network address matches a + The increment in verbose logging level when a nexthop destina- + tion, remote client or server name or network address matches a pattern given with the debug_peer_list parameter. debug_peer_list (empty) - Optional list of nexthop destination, remote client or server - name or network address patterns that, if matched, cause the - verbose logging level to increase by the amount specified in + Optional list of nexthop destination, remote client or server + name or network address patterns that, if matched, cause the + verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto- col errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are subject to - before-queue content inspection by non_smtpd_milters, + What categories of Postfix-generated mail are subject to + before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) @@ -981,46 +996,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The local network interface addresses that this mail system + The local network interface addresses that this mail system receives mail on. inet_protocols (see 'postconf -d' output) - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv- + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv- ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -1034,21 +1049,21 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The remote network interface addresses that this mail system - receives mail on by way of a proxy or network address transla- + The remote network interface addresses that this mail system + receives mail on by way of a proxy or network address transla- tion unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -1068,7 +1083,7 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available with Postfix 2.2 and earlier: @@ -1080,14 +1095,14 @@ SMTP(8) SMTP(8) Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay destinations that will be used when an - SMTP destination is not found, or when delivery fails due to a + Optional list of relay destinations that will be used when an + SMTP destination is not found, or when delivery fails due to a non-permanent error. Available with Postfix 3.0 and later: smtp_address_verify_target (rcpt) - In the context of email address verification, the SMTP protocol + In the context of email address verification, the SMTP protocol stage that determines whether an email address is deliverable. Available with Postfix 3.1 and later: @@ -1109,7 +1124,7 @@ SMTP(8) SMTP(8) Available in Postfix 3.7 and later: smtp_bind_address_enforce (no) - Defer delivery when the Postfix SMTP client cannot apply the + Defer delivery when the Postfix SMTP client cannot apply the smtp_bind_address or smtp_bind_address6 setting. SEE ALSO diff --git a/postfix/html/mailq.1.html b/postfix/html/mailq.1.html index 4645b733a..ef7344b09 100644 --- a/postfix/html/mailq.1.html +++ b/postfix/html/mailq.1.html @@ -177,14 +177,36 @@ SENDMAIL(1) SENDMAIL(1) -n (ignored) Backwards compatibility. - -oAalias_database - Non-default alias database. Specify pathname or type:pathname. - See postalias(1) for details. + -O requiretls=yes + + -O requiretls=no + When delivering a message to an SMTP or LMTP server, the connec- + tion must use TLS with a verified server certificate, and that + server must support REQUIRETLS. The "requiretls" name and option + value are case-insensitive. REQUIRETLS enforcement is controlled + with the configuration parameters requiretls_enable, + smtp_requiretls_policy, and lmtp_requiretls_policy. + + This feature is available in Postfix 3.11 and later. + + -O smtputf8=yes + + -O smtputf8=no + When delivering a message to an SMTP or LMTP server, and an + envelope address or message header contains UTF8 text, that + server must support SMTPUTF8. The "smtputf8" option name and + value are case-insensitive. + + This feature is available in Postfix 3.11 and later. -O option=value (ignored) - Set the named option to value. Use the equivalent configuration + Set the named option to value. Use the equivalent configuration parameter in main.cf instead. + -oAalias_database + Non-default alias database. Specify pathname or type:pathname. + See postalias(1) for details. + -o7 (ignored) -o8 (ignored) @@ -483,6 +505,12 @@ SENDMAIL(1) SENDMAIL(1) the default Postfix instance, and that are started, stopped, etc., together with the default Postfix instance. + Postfix 3.11 and later: + + requiretls_enable (yes) + Enable support for the ESMTP verb "REQUIRETLS" in the "MAIL + FROM" command. + FILES /var/spool/postfix, mail queue /etc/postfix, configuration files @@ -501,7 +529,7 @@ SENDMAIL(1) SENDMAIL(1) syslogd(8), system logging README_FILES - Use "postconf readme_directory" or "postconf html_directory" to locate + Use "postconf readme_directory" or "postconf html_directory" to locate this information. DEBUG_README, Postfix debugging howto ETRN_README, Postfix ETRN howto diff --git a/postfix/html/newaliases.1.html b/postfix/html/newaliases.1.html index 4645b733a..ef7344b09 100644 --- a/postfix/html/newaliases.1.html +++ b/postfix/html/newaliases.1.html @@ -177,14 +177,36 @@ SENDMAIL(1) SENDMAIL(1) -n (ignored) Backwards compatibility. - -oAalias_database - Non-default alias database. Specify pathname or type:pathname. - See postalias(1) for details. + -O requiretls=yes + + -O requiretls=no + When delivering a message to an SMTP or LMTP server, the connec- + tion must use TLS with a verified server certificate, and that + server must support REQUIRETLS. The "requiretls" name and option + value are case-insensitive. REQUIRETLS enforcement is controlled + with the configuration parameters requiretls_enable, + smtp_requiretls_policy, and lmtp_requiretls_policy. + + This feature is available in Postfix 3.11 and later. + + -O smtputf8=yes + + -O smtputf8=no + When delivering a message to an SMTP or LMTP server, and an + envelope address or message header contains UTF8 text, that + server must support SMTPUTF8. The "smtputf8" option name and + value are case-insensitive. + + This feature is available in Postfix 3.11 and later. -O option=value (ignored) - Set the named option to value. Use the equivalent configuration + Set the named option to value. Use the equivalent configuration parameter in main.cf instead. + -oAalias_database + Non-default alias database. Specify pathname or type:pathname. + See postalias(1) for details. + -o7 (ignored) -o8 (ignored) @@ -483,6 +505,12 @@ SENDMAIL(1) SENDMAIL(1) the default Postfix instance, and that are started, stopped, etc., together with the default Postfix instance. + Postfix 3.11 and later: + + requiretls_enable (yes) + Enable support for the ESMTP verb "REQUIRETLS" in the "MAIL + FROM" command. + FILES /var/spool/postfix, mail queue /etc/postfix, configuration files @@ -501,7 +529,7 @@ SENDMAIL(1) SENDMAIL(1) syslogd(8), system logging README_FILES - Use "postconf readme_directory" or "postconf html_directory" to locate + Use "postconf readme_directory" or "postconf html_directory" to locate this information. DEBUG_README, Postfix debugging howto ETRN_README, Postfix ETRN howto diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index c6a02d86c..516becd14 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -12,7 +12,7 @@