Robustness: force html2text to produce ASCII output. File:
mantools/html2readme.
+ Feature: "postfix tls" commands to enable opportunistic TLS
+ in the Postfix SMTP client or server, or generate or replace
+ Postfix SMTP server TLS private keys and server certificates.
+ Viktor Dukhovni, Wietse. Files: conf/postfix-files,
+ conf/postfix-script, conf/postfix-tls-script, makedefs,
+ proto/INSTALL.html, proto/postconf.proto, global/mail_params.h,
+ postfix/postfix.c, tls/tls_misc.c.
+
+ Portability: added a tls_random_source default setting for
+ MacOS X. Viktor Dukhovni. File: util/sys_defs.h.
+
20150118
Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
Portability: Postfix TLS support uses /dev/urandom if
available and no system-specific setting exists in sys_defs.h.
Files: makedefs, util/sys_defs.h.
-
-20161206
-
- Portability: added a tls_random_source default setting for
- MacOS X. Viktor Dukhovni. File: util/sys_defs.h.
-Postfix Installation From Source Code
-
--------------------------------------------------------------------------------
-
-1 - Purpose of this document
-
-If you are using a pre-compiled version of Postfix, you should start with
-BASIC_CONFIGURATION_README and the general documentation referenced by it.
-INSTALL is only a bootstrap document to get Postfix up and running from scratch
-with the minimal number of steps; it should not be considered part of the
-general documentation.
-
-This document describes how to build, install and configure a Postfix system so
-that it can do one of the following:
-
- * Send mail only, without changing an existing Sendmail installation.
- * Send and receive mail via a virtual host interface, still without any
- change to an existing Sendmail installation.
- * Run Postfix instead of Sendmail.
-
-Topics covered in this document:
-
- 1. Purpose of this document
- 2. Typographical conventions
- 3. Documentation
- 4. Building on a supported system
- 5. Porting Postfix to an unsupported system
- 6. Installing the software after successful compilation
- 7. Configuring Postfix to send mail only
- 8. Configuring Postfix to send and receive mail via virtual interface
- 9. Running Postfix instead of Sendmail
-10. Mandatory configuration file edits
-11. To chroot or not to chroot
-12. Care and feeding of the Postfix system
-
-2 - Typographical conventions
-
-In the instructions below, a command written as
-
- # command
-
-should be executed as the superuser.
-
-A command written as
-
- $ command
-
-should be executed as an unprivileged user.
-
-3 - Documentation
-
-Documentation is available as README files (start with the file README_FILES/
-AAAREADME), as HTML web pages (point your browser to "html/index.html") and as
-UNIX-style manual pages.
-
-You should view the README files with a pager such as more(1) or less(1),
-because the files use backspace characters in order to produce bold font. To
-print a README file without backspace characters, use the col(1) command. For
-example:
-
- $ col -bx <file | lpr
-
-In order to view the manual pages before installing Postfix, point your MANPATH
-environment variable to the "man" subdirectory; be sure to use an absolute
-path.
-
- $ export MANPATH; MANPATH="`pwd`/man:$MANPATH"
- $ setenv MANPATH "`pwd`/man:$MANPATH"
-
-Of particular interest is the postconf(5) manual page that lists all the 500+
-configuration parameters. The HTML version of this text makes it easy to
-navigate around.
-
-All Postfix source files have their own built-in manual page. Tools to extract
-those embedded manual pages are available in the mantools directory.
-
-4 - Building on a supported system
-
-Postfix development happens on FreeBSD and MacOS X, with regular tests on Linux
-(Fedora, Ubuntu) and Solaris. Support for other systems relies on feedback from
-their users, and may not always be up-to-date.
-
-OpenBSD is partially supported. The libc resolver does not implement the
-documented "internal resolver options which are [...] set by changing fields in
-the _res structure" (documented in the OpenBSD 5.6 resolver(3) manpage). This
-results in too many DNS queries, and false positives for queries that should
-fail.
-
-Overview of topics:
-
- * 4.1 - Getting started
- * 4.2 - What compiler to use
- * 4.3 - Building with Postfix position-independent executables (Postfix >=
- 3.0)
- * 4.4 - Building with Postfix dynamically-linked libraries and database
- plugins (Postfix >= 3.0)
- * 4.5 - Building with optional features
- * 4.6 - Overriding built-in parameter default settings
- * 4.7 - Overriding other compile-time features
- * 4.8 - Support for thousands of processes
- * 4.9 - Compiling Postfix, at last
-
-4.1 - Getting started
-
-On Solaris, the "make" command and other development utilities are in /usr/ccs/
-bin, so you MUST have /usr/ccs/bin in your command search path. If these files
-do not exist, you need to install the development packages first.
-
-If you need to build Postfix for multiple architectures from a single source-
-code tree, use the "lndir" command to build a shadow tree with symbolic links
-to the source files.
-
-If at any time in the build process you get messages like: "make: don't know
-how to ..." you should be able to recover by running the following command from
-the Postfix top-level directory:
-
- $ make -f Makefile.init makefiles
-
-If you copied the Postfix source code after building it on another machine, it
-is a good idea to cd into the top-level directory and first do this:
-
- $ make tidy
-
-This will get rid of any system dependencies left over from compiling the
-software elsewhere.
-
-4.2 - What compiler to use
-
-To build with GCC, or with the native compiler if people told me that is better
-for your system, just cd into the top-level Postfix directory of the source
-tree and type:
-
- $ make
-
-To build with a non-default compiler, you need to specify the name of the
-compiler. Here are a few examples:
-
- $ make makefiles CC=/opt/SUNWspro/bin/cc (Solaris)
- $ make
-
- $ make makefiles CC="/opt/ansic/bin/cc -Ae" (HP-UX)
- $ make
-
- $ make makefiles CC="purify cc"
- $ make
-
-and so on. In some cases, optimization will be turned off automatically.
-
-4.3 - Building with Postfix position-independent executables (Postfix >= 3.0)
-
-On some systems Postfix can be built with Position-Independent Executables. PIE
-is used by the ASLR exploit mitigation technique (ASLR = Address-Space Layout
-Randomization):
-
- $ make makefiles pie=yes ...other arguments...
-
-(Specify "make makefiles pie=no" to explicitly disable Postfix position-
-independent executable support).
-
-Postfix PIE support appears to work on Fedora Core 20, Ubuntu 14.04, FreeBSD 9
-and 10, and NetBSD 6 (all with the default system compilers).
-
-Whether the "pie=yes" above has any effect depends on the compiler. Some
-compilers always produce PIE executables, and some may even complain that the
-Postfix build option is redundant.
-
-4.4 - Building with Postfix dynamically-linked libraries and database plugins
-(Postfix >= 3.0)
-
-Postfix dynamically-linked library and database plugin support exists for
-recent versions of Linux, FreeBSD and MacOS X. Dynamically-linked library
-builds may become the default at some point in the future.
-
-Overview of topics:
-
- * 4.4.1 Turning on Postfix dynamically-linked library support
- * 4.4.2 Turning on Postfix database-plugin support
- * 4.4.3 Customizing Postfix dynamically-linked libraries and database plugins
- * 4.4.4 Tips for distribution maintainers
-
-Note: directories with Postfix dynamically-linked libraries or database plugins
-should contain only postfix-related files. Postfix dynamically-linked libraries
-and database plugins should not be installed in a "public" system directory
-such as /usr/lib or /usr/local/lib. Linking Postfix dynamically-linked library
-or database-plugin files into non-Postfix programs is not supported. Postfix
-dynamically-linked libraries and database plugins implement a Postfix-internal
-API that changes without maintaining compatibility.
-
-4.4.1 Turning on Postfix dynamically-linked library support
-
-Postfix can be built with Postfix dynamically-linked libraries (files typically
-named libpostfix-*.so). Postfix dynamically-linked libraries add minor run-time
-overhead and result in significantly-smaller Postfix executable files.
-
-Specify "shared=yes" on the "make makefiles" command line to build Postfix with
-dynamically-linked library support.
-
- $ make makefiles shared=yes ...other arguments...
- $ make
-
-(Specify "make makefiles shared=no" to explicitly disable Postfix dynamically-
-linked library support).
-
-This installs dynamically-linked libraries in $shlib_directory, typically /usr/
-lib/postfix or /usr/local/lib/postfix, with file names libpostfix-name.so,
-where the name is a source-code directory name such as "util" or "global".
-
-See section 4.4.3 "Customizing Postfix dynamically-linked libraries and
-database plugins" below for how to customize the Postfix dynamically-linked
-library location, including support to upgrade a running mail system safely.
-
-4.4.2 Turning on Postfix database-plugin support
-
-Additionally, Postfix can be built to support dynamic loading of Postfix
-database clients (database plugins) with the Debian-style dynamicmaps feature.
-Postfix 3.0 supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:,
-pgsql:, sdbm:, and sqlite: database clients. Dynamic loading is useful when you
-distribute or install pre-compiled Postfix packages.
-
-Specify "dynamicmaps=yes" on the "make makefiles" command line to build Postfix
-with support to dynamically load Postfix database clients with the Debian-style
-dynamicmaps feature.
-
- $ make makefiles dynamicmaps=yes ...other arguments...
- $ make
-
-(Specify "make makefiles dynamicmaps=no" to explicitly disable Postfix
-database-plugin support).
-
-This implicitly enables dynamically-linked library support, installs the
-configuration file dynamicmaps.cf in $meta_directory (usually, /etc/postfix or
-/usr/local/etc/postfix), and installs database plugins in $shlib_directory (see
-above). Database plugins are named postfix-type.so where the type is a database
-type such as "cdb" or "ldap".
-
- NOTE: The Postfix 3.0 build procedure expects that you specify database
- library dependencies with variables named AUXLIBS_CDB, AUXLIBS_LDAP, etc.
- With Postfix 3.0 and later, the old AUXLIBS variable still supports
- building a statically-loaded database client, but only the new AUXLIBS_CDB
- etc. variables support building a dynamically-loaded or statically-loaded
- CDB etc. database client. See CDB_README, LDAP_README, etc. for details.
-
- Failure to follow this advice will defeat the purpose of dynamic database
- client loading. Every Postfix executable file will have database library
- dependencies. And that was exactly what dynamic database client loading was
- meant to avoid.
-
-See the next section for how to customize the location and version of Postfix
-database plugins and the location of the file dynamicmaps.cf.
-
-4.4.3 Customizing Postfix dynamically-linked libraries and database plugins
-
-Customizing build-time and run-time options for Postfix dynamically-linked
-libraries and database plugins
-
-The build-time environment variables SHLIB_CFLAGS, SHLIB_RPATH, and
-SHLIB_SUFFIX provide control over how Postfix libraries and plugins are
-compiled, linked, and named.
-
- $ make makefiles SHLIB_CFLAGS=flags SHLIB_RPATH=rpath SHLIB_SUFFIX=suffix
- ...other arguments...
- $ make
-
-See section 4.7 "Overriding other compile-time features" below for details.
-
-Customizing the location of Postfix dynamically-linked libraries and database
-plugins
-
-As a reminder, the directories with Postfix dynamically-linked libraries or
-database plugins should contain only Postfix-related files. Linking these files
-into other programs is not supported.
-
-To override the default location of Postfix dynamically-linked libraries and
-database plugins specify, for example:
-
- $ make makefiles shared=yes shlib_directory=/usr/local/lib/postfix ...
-
-If you intend to upgrade Postfix without stopping the mail system, then you
-should append the Postfix release version to the shlib_directory pathname, to
-eliminate the possibility that programs will link with dynamically-linked
-libraries or database plugins from the wrong Postfix version. For example:
-
- $ make makefiles shared=yes \
- shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-The command "make makefiles name=value..." will replace the string MAIL_VERSION
-at the end of a configuration parameter value with the Postfix release version.
-Do not try to specify something like $mail_version on this command line. This
-produces inconsistent results with different versions of the make(1) command.
-
-You can change the shlib_directory setting after Postfix is built, with "make
-install" or "make upgrade". However, you may have to run ldconfig if you change
-shlib_directory after Postfix is built (the symptom is that Postfix programs
-fail because the run-time linker cannot find the files libpostfix-*.so). No
-ldconfig command is needed if you keep the files libpostfix-*.so in the
-compiled-in default $shlib_directory location.
-
- # make upgrade shlib_directory=/usr/local/lib/postfix ...
- # make install shlib_directory=/usr/local/lib/postfix ...
-
-To append the Postfix release version to the pathname if you intend to upgrade
-Postfix without stopping the mail system:
-
- # make upgrade shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
- # make install shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-See also the comments above for appending MAIL_VERSION with the "make
-makefiles" command.
-
-Customizing the location of dynamicmaps.cf and other files
-
-The meta_directory parameter has the same default setting as the
-config_directory parameter, typically /etc/postfix or /usr/local/etc/postfix.
-
-You can override the default meta_directory location at compile time or after
-Postfix is built. To override the default location at compile time specify, for
-example:
-
- % make makefiles meta_directory=/usr/libexec/postfix ...
-
-Here is a tip if you want to make a pathname dependent on the Postfix release
-version: the command "make makefiles name=value..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-You can override the meta_directory setting after Postfix is built, with "make
-install" or "make upgrade".
-
- # make upgrade meta_directory=/usr/libexec/postfix ...
- # make install meta_directory=/usr/libexec/postfix ...
-
-As with the command "make makefiles, the command "make install/upgrade
-name=value..." will replace the string MAIL_VERSION at the end of a
-configuration parameter value with the Postfix release version. Do not try to
-specify something like $mail_version on this command line. This produces
-inconsistent results with different versions of the make(1) command.
-
-4.4.4 Tips for distribution maintainers
-
- * The shlib_directory parameter setting also provides the default directory
- for database plugin files with a relative pathname in the file
- dynamicmaps.cf.
-
- * The meta_directory parameter specifies the location of the files
- dynamicmaps.cf, postfix-files, and some multi-instance template files. The
- meta_directory parameter has the same default value as the config_directory
- parameter (typically, /etc/postfix or /usr/local/etc/postfix). For
- backwards compatibility with Postfix 2.6 .. 2.11, specify "meta_directory =
- $daemon_directory" in main.cf before installing or upgrading Postfix, or
- specify "meta_directory = /path/name" on the "make makefiles", "make
- install" or "make upgrade" command line.
-
- * The configuration file dynamicmaps.cf will automatically include files
- under the directory dynamicmaps.cf.d, just like the configuration file
- postfix-files will automatically include files under the directory postfix-
- files.d. Thanks to this, you can install or deinstall a database plugin
- package without having to edit postfix-files or dynamicmaps.cf. Instead,
- you give that plugin its own configuration files dynamicmaps.cf.d and
- postfix-files.d, and you add or remove those configuration files along with
- the database plugin dynamically-linked object.
-
- * Each configuration file under the directory dynamicmaps.cf.d must have the
- same format as the configuration file dynamicmaps.cf. There is no
- requirement that these configuration file *names* have a specific format.
-
- * Each configuration file under the directory postfix-files.d must have the
- same format as the configuration file postfix-files. There is no
- requirement that these configuration file *names* have a specific format.
-
-4.5 - Building with optional features
-
-By default, Postfix builds as a mail system with relatively few bells and
-whistles. Support for third-party databases etc. must be configured when
-Postfix is compiled. The following documents describe how to build Postfix with
-support for optional features:
-
- _____________________________________________________________
- |Optional feature |Document |Availability|
- |__________________________________|_____________|____________|
- |Berkeley DB database |DB_README |Postfix 1.0 |
- |__________________________________|_____________|____________|
- |LMDB database |LMDB_README |Postfix 2.11|
- |__________________________________|_____________|____________|
- |LDAP database |LDAP_README |Postfix 1.0 |
- |__________________________________|_____________|____________|
- |MySQL database |MYSQL_README |Postfix 1.0 |
- |__________________________________|_____________|____________|
- |Perl compatible regular expression|PCRE_README |Postfix 1.0 |
- |__________________________________|_____________|____________|
- |PostgreSQL database |PGSQL_README |Postfix 2.0 |
- |__________________________________|_____________|____________|
- |SASL authentication |SASL_README |Postfix 1.0 |
- |__________________________________|_____________|____________|
- |SQLite database |SQLITE_README|Postfix 2.8 |
- |__________________________________|_____________|____________|
- |STARTTLS session encryption |TLS_README |Postfix 2.2 |
- |__________________________________|_____________|____________|
-
-Note: IP version 6 support is compiled into Postfix on operating systems that
-have IPv6 support. See the IPV6_README file for details.
-
-4.6 - Overriding built-in parameter default settings
-
-4.6.1 - Postfix 3.0 and later
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
- $ make makefiles config_directory=/some/where ...other arguments...
- $ make
-
-The command "make makefiles name=value ..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
- __________________________________________
- |parameter name |typical default |
- |_____________________|____________________|
- |command_directory |/usr/sbin |
- |_____________________|____________________|
- |config_directory |/etc/postfix |
- |_____________________|____________________|
- |default_database_type|hash |
- |_____________________|____________________|
- |daemon_directory |/usr/libexec/postfix|
- |_____________________|____________________|
- |data_directory |/var/lib/postfix |
- |_____________________|____________________|
- |html_directory |no |
- |_____________________|____________________|
- |mail_spool_directory |/var/mail |
- |_____________________|____________________|
- |mailq_path |/usr/bin/mailq |
- |_____________________|____________________|
- |manpage_directory |/usr/local/man |
- |_____________________|____________________|
- |meta_directory |/etc/postfix |
- |_____________________|____________________|
- |newaliases_path |/usr/bin/newaliases |
- |_____________________|____________________|
- |queue_directory |/var/spool/postfix |
- |_____________________|____________________|
- |readme_directory |no |
- |_____________________|____________________|
- |sendmail_path |/usr/sbin/sendmail |
- |_____________________|____________________|
- |shlib_directory |/usr/lib/postfix |
- |_____________________|____________________|
-
-4.6.2 - All Postfix versions
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
- $ make makefiles CCARGS='-DDEF_CONFIG_DIR=\"/some/where\"'
- $ make
-
-IMPORTANT: Be sure to get the quotes right. These details matter a lot.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
- ____________________________________________________________
- |Macro name |default value for |typical default |
- |_________________|_____________________|____________________|
- |DEF_COMMAND_DIR |command_directory |/usr/sbin |
- |_________________|_____________________|____________________|
- |DEF_CONFIG_DIR |config_directory |/etc/postfix |
- |_________________|_____________________|____________________|
- |DEF_DB_TYPE |default_database_type|hash |
- |_________________|_____________________|____________________|
- |DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix|
- |_________________|_____________________|____________________|
- |DEF_DATA_DIR |data_directory |/var/lib/postfix |
- |_________________|_____________________|____________________|
- |DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq |
- |_________________|_____________________|____________________|
- |DEF_HTML_DIR |html_directory |no |
- |_________________|_____________________|____________________|
- |DEF_MANPAGE_DIR |manpage_directory |/usr/local/man |
- |_________________|_____________________|____________________|
- |DEF_NEWALIAS_PATH|newaliases_path |/usr/bin/newaliases |
- |_________________|_____________________|____________________|
- |DEF_QUEUE_DIR |queue_directory |/var/spool/postfix |
- |_________________|_____________________|____________________|
- |DEF_README_DIR |readme_directory |no |
- |_________________|_____________________|____________________|
- |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail |
- |_________________|_____________________|____________________|
-
-Note: the data_directory parameter (for caches and pseudo-random numbers) was
-introduced with Postfix version 2.5.
-
-4.7 - Overriding other compile-time features
-
-The general method to override Postfix compile-time features is as follows:
-
- $ make makefiles name=value name=value...
- $ make
-
-The following is an extensive list of names and values.
-
- _____________________________________________________________________________
-|Name/Value |Description |
-|______________________________|______________________________________________|
-| |Specifies one or more non-default object |
-| |libraries. Postfix 3.0 and later specify some |
-| |of their database library dependencies with |
-|AUXLIBS="object_library..." |AUXLIBS_CDB, AUXLIBS_LDAP, AUXLIBS_LMDB, |
-| |AUXLIBS_MYSQL, AUXLIBS_PCRE, AUXLIBS_PGSQL, |
-| |AUXLIBS_SDBM, and AUXLIBS_SQLITE, |
-| |respectively. |
-|______________________________|______________________________________________|
-|CC=compiler_command |Specifies a non-default compiler. On many |
-| |systems, the default is gcc. |
-|______________________________|______________________________________________|
-| |Specifies non-default compiler arguments, for |
-|CCARGS="compiler_arguments..."|example, a non-default include directory. The |
-| |following directives turn off Postfix features|
-| |at compile time: |
-|______________________________|______________________________________________|
-|| |Do not build with Berkeley DB support. By |
-|| |default, Berkeley DB support is compiled in on|
-||-DNO_DB |platforms that are known to support this |
-|| |feature. If you override this, then you |
-|| |probably should also override DEF_DB_TYPE as |
-|| |described in section 4.6. |
-||_____________________________|______________________________________________|
-||-DNO_DNSSEC |Do not build with DNSSEC support, even if the |
-|| |resolver library appears to support it. |
-||_____________________________|______________________________________________|
-|| |Do not build with Solaris /dev/poll support. |
-||-DNO_DEVPOLL |By default, /dev/poll support is compiled in |
-|| |on Solaris versions that are known to support |
-|| |this feature. |
-||_____________________________|______________________________________________|
-|| |Do not build with Linux EPOLL support. By |
-||-DNO_EPOLL |default, EPOLL support is compiled in on |
-|| |platforms that are known to support this |
-|| |feature. |
-||_____________________________|______________________________________________|
-|| |Do not build with EAI (SMTPUTF8) support. By |
-||-DNO_EAI |default, EAI support is compiled in when the |
-|| |"icuuc" library and header files are found. |
-||_____________________________|______________________________________________|
-|| |Do not require support for C99 "inline" |
-||-DNO_INLINE |functions. Instead, implement argument |
-|| |typechecks for non-printf/scanf-like functions|
-|| |with ternary operators and unreachable code. |
-||_____________________________|______________________________________________|
-|| |Do not build with IPv6 support. By default, |
-|| |IPv6 support is compiled in on platforms that |
-||-DNO_IPV6 |are known to have IPv6 support. Note: this |
-|| |directive is for debugging and testing only. |
-|| |It is not guaranteed to work on all platforms.|
-||_____________________________|______________________________________________|
-|| |Do not build with FreeBSD / NetBSD / OpenBSD /|
-||-DNO_KQUEUE |MacOSX KQUEUE support. By default, KQUEUE |
-|| |support is compiled in on platforms that are |
-|| |known to support it. |
-||_____________________________|______________________________________________|
-|| |Do not build with NIS or NISPLUS support. NIS |
-||-DNO_NIS |is not available on some recent Linux |
-|| |distributions. |
-||_____________________________|______________________________________________|
-|| |Do not build with NISPLUS support. NISPLUS is |
-||-DNO_NISPLUS |not available on some recent Solaris |
-|| |distributions. |
-||_____________________________|______________________________________________|
-|| |Do not build with PCRE support. By default, |
-||-DNO_PCRE |PCRE support is compiled in when the pcre- |
-|| |config utility is installed. |
-||_____________________________|______________________________________________|
-|| |Disable support for POSIX getpwnam_r/ |
-||-DNO_POSIX_GETPW_R |getpwuid_r. By default Postfix uses these |
-|| |where they are known to be available. |
-||_____________________________|______________________________________________|
-|| |Use setjmp()/longjmp() instead of sigsetjmp()/|
-||-DNO_SIGSETJMP |siglongjmp(). By default, Postfix uses |
-|| |sigsetjmp()/siglongjmp() when they are known |
-|| |to be available. |
-||_____________________________|______________________________________________|
-| |Specifies a non-default compiler debugging |
-|DEBUG=debug_level |level. The default is "-g". Specify DEBUG= to |
-| |turn off debugging. |
-|______________________________|______________________________________________|
-| |Specifies a non-default optimization level. |
-|OPT=optimization_level |The default is "-O". Specify OPT= to turn off |
-| |optimization. |
-|______________________________|______________________________________________|
-| |Specifies non-default compiler options for |
-|SHLIB_CFLAGS=flags |building Postfix dynamically-linked libraries |
-| |and database plugins. The typical default is |
-| |"-fPIC". |
-|______________________________|______________________________________________|
-| |Specifies a non-default runpath for Postfix |
-|SHLIB_RPATH=rpath |dynamically-linked libraries. The typical |
-| |default is "'-Wl,-rpath,${SHLIB_DIR}'". |
-|______________________________|______________________________________________|
-| |Specifies a non-default suffix for Postfix |
-|SHLIB_SUFFIX=suffix |dynamically-linked libraries and database |
-| |plugins. The typical default is ".so". |
-|______________________________|______________________________________________|
-| |Specifies non-default compiler warning options|
-|WARN="warning_flags..." |for use when "make" is invoked in a source |
-| |subdirectory only. |
-|______________________________|______________________________________________|
-
-4.8 - Support for thousands of processes
-
-The number of connections that Postfix can manage simultaneously is limited by
-the number of processes that it can run. This number in turn is limited by the
-number of files and sockets that a single process can open. For example, the
-Postfix queue manager has a separate connection to each delivery process, and
-the anvil(8) server has one connection per smtpd(8) process.
-
-Postfix version 2.4 and later have no built-in limits on the number of open
-files or sockets, when compiled on systems that support one of the following:
-
- * BSD kqueue(2) (FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9),
- * Solaris 8 /dev/poll,
- * Linux 2.6 epoll(4).
-
-With other Postfix versions or operating systems, the number of file
-descriptors per process is limited by the value of the FD_SETSIZE macro. If you
-expect to run more than 1000 mail delivery processes, you may need to override
-the definition of the FD_SETSIZE macro to make select() work correctly:
-
- $ make makefiles CCARGS=-DFD_SETSIZE=2048
-
-Warning: the above has no effect on some Linux versions. Apparently, on these
-systems the FD_SETSIZE value can be changed only by using undocumented
-interfaces. Currently, that means including <bits/types.h> directly (which is
-not allowed) and overriding the __FD_SETSIZE macro. Beware, undocumented
-interfaces can change at any time and without warning.
-
-But wait, there is more: none of this will work unless the operating system is
-configured to handle thousands of connections. See the TUNING_README guide for
-examples of how to increase the number of open sockets or files.
-
-4.9 - Compiling Postfix, at last
-
-If the command
-
- $ make
-
-is successful, then you can proceed to install Postfix (section 6).
-
-If the command produces compiler error messages, it may be time to search the
-web or to ask the postfix-users@postfix.org mailing list, but be sure to search
-the mailing list archives first. Some mailing list archives are linked from
-http://www.postfix.org/.
-
-5 - Porting Postfix to an unsupported system
-
-Each system type that Postfix knows is identified by a unique name. Examples:
-SUNOS5, FREEBSD4, and so on. When porting Postfix to a new system, the first
-step is to choose a SYSTEMTYPE name for the new system. You must use a name
-that includes at least the major version of the operating system (such as
-SUNOS4 or LINUX2), so that different releases of the same system can be
-supported without confusion.
-
-Add a case statement to the "makedefs" shell script in the source code top-
-level directory that recognizes the new system reliably, and that emits the
-right system-specific information. Be sure to make the code robust against user
-PATH settings; if the system offers multiple UNIX flavors (e.g. BSD and SYSV)
-be sure to build for the native flavor, instead of the emulated one.
-
-Add an "#ifdef SYSTEMTYPE" section to the central util/sys_defs.h include file.
-You may have to invent new feature macro names. Please choose sensible feature
-macro names such as HAS_DBM or FIONREAD_IN_SYS_FILIO_H.
-
-I strongly recommend against using "#ifdef SYSTEMTYPE" in individual source
-files. While this may look like the quickest solution, it will create a mess
-when newer versions of the same SYSTEMTYPE need to be supported. You're likely
-to end up placing "#ifdef" sections all over the source code again.
-
-6 - Installing the software after successful compilation
-
-This text describes how to install Postfix from source code. See the
-PACKAGE_README file if you are building a package for distribution to other
-systems.
-
-6.1 - Save existing Sendmail binaries
-
-IMPORTANT: if you are REPLACING an existing Sendmail installation with Postfix,
-you may need to keep the old sendmail program running for some time in order to
-flush the mail queue.
-
- * Some systems implement a mail switch mechanism where different MTAs
- (Postfix, Sendmail, etc.) can be installed at the same time, while only one
- of them is actually being used. Examples of such switching mechanisms are
- the FreeBSD mailwrapper(8) or the Linux mail switch. In this case you
- should try to "flip" the switch to "Postfix" before installing Postfix.
-
- * If your system has no mail switch mechanism, execute the following commands
- (your sendmail, newaliases and mailq programs may be in a different place):
-
- # mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
- # mv /usr/bin/newaliases /usr/bin/newaliases.OFF
- # mv /usr/bin/mailq /usr/bin/mailq.OFF
- # chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF \
- /usr/bin/mailq.OFF
-
-6.2 - Create account and groups
-
-Before you install Postfix for the first time you need to create an account and
-a group:
-
- * Create a user account "postfix" with a user id and group id that are not
- used by any other user account. Preferably, this is an account that no-one
- can log into. The account does not need an executable login shell, and
- needs no existing home directory. My password and group file entries look
- like this:
-
- /etc/passwd:
- postfix:*:12345:12345:postfix:/no/where:/no/shell
-
- /etc/group:
- postfix:*:12345:
-
- Note: there should be no whitespace before "postfix:".
-
- * Create a group "postdrop" with a group id that is not used by any other
- user account. Not even by the postfix user account. My group file entry
- looks like:
-
- /etc/group:
- postdrop:*:54321:
-
- Note: there should be no whitespace before "postdrop:".
-
-6.3 - Install Postfix
-
-To install or upgrade Postfix from compiled source code, run one of the
-following commands as the super-user:
-
- # make install (interactive version, first time install)
-
- # make upgrade (non-interactive version, for upgrades)
-
- * The interactive version ("make install") asks for pathnames for Postfix
- data and program files, and stores your preferences in the main.cf file. If
- you don't want Postfix to overwrite non-Postfix "sendmail", "mailq" and
- "newaliases" files, specify pathnames that end in ".postfix".
-
- * The non-interactive version ("make upgrade") needs the /etc/postfix/main.cf
- file from a previous installation. If the file does not exist, use
- interactive installation ("make install") instead.
-
- * If you specify name=value arguments on the "make install" or "make upgrade"
- command line, then these will take precedence over compiled-in default
- settings or main.cf settings.
-
- The command "make install/upgrade name=value ..." will replace the string
- MAIL_VERSION at the end of a configuration parameter value with the Postfix
- release version. Do not try to specify something like $mail_version on this
- command line. This produces inconsistent results with different versions of
- the make(1) command.
-
-6.4 - Configure Postfix
-
-Proceed to the section on how you wish to run Postfix on your particular
-machine:
-
- * Send mail only, without changing an existing Sendmail installation (section
- 7).
-
- * Send and receive mail via a virtual host interface, still without any
- change to an existing Sendmail installation (section 8).
-
- * Run Postfix instead of Sendmail (section 9).
-
-7 - Configuring Postfix to send mail only
-
-If you are going to use Postfix to send mail only, there is no need to change
-your existing sendmail setup. Instead, set up your mail user agent so that it
-calls the Postfix sendmail program directly.
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf, in order
-to avoid conflicts with the real sendmail. Put a "#" character in front of the
-line that defines the smtpd service:
-
- /etc/postfix/master.cf:
- #smtp inet n - n - - smtpd
-
-Start the Postfix system:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-8 - Configuring Postfix to send and receive mail via virtual interface
-
-Alternatively, you can use the Postfix system to send AND receive mail while
-leaving your Sendmail setup intact, by running Postfix on a virtual interface
-address. Simply configure your mail user agent to directly invoke the Postfix
-sendmail program.
-
-To create a virtual network interface address, study your system ifconfig
-manual page. The command syntax could be any of:
-
- # ifconfig le0:1 <address> netmask <mask> up
- # ifconfig en0 alias <address> netmask 255.255.255.255
-
-In the /etc/postfix/main.cf file, I would specify
-
- /etc/postfix/main.cf:
- myhostname = virtual.host.tld
- inet_interfaces = $myhostname
- mydestination = $myhostname
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-Start the Postfix system:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-9 - Running Postfix instead of Sendmail
-
-Prior to installing Postfix you should save any existing sendmail program files
-as described in section 6. Be sure to keep the old sendmail running for at
-least a couple days to flush any unsent mail. To do so, stop the sendmail
-daemon and restart it as:
-
- # /usr/sbin/sendmail.OFF -q
-
-Note: this is old sendmail syntax. Newer versions use separate processes for
-mail submission and for running the queue.
-
-After you have visited the "Mandatory configuration file edits" section below,
-you can start the Postfix system with:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-10 - Mandatory configuration file edits
-
-Note: the material covered in this section is covered in more detail in the
-BASIC_CONFIGURATION_README document. The information presented below is
-targeted at experienced system administrators.
-
-10.1 - Postfix configuration files
-
-By default, Postfix configuration files are in /etc/postfix. The two most
-important files are main.cf and master.cf; these files must be owned by root.
-Giving someone else write permission to main.cf or master.cf (or to their
-parent directories) means giving root privileges to that person.
-
-In /etc/postfix/main.cf, you will have to set up a minimal number of
-configuration parameters. Postfix configuration parameters resemble shell
-variables, with two important differences: the first one is that Postfix does
-not know about quotes like the UNIX shell does.
-
-You specify a configuration parameter as:
-
- /etc/postfix/main.cf:
- parameter = value
-
-and you use it by putting a "$" character in front of its name:
-
- /etc/postfix/main.cf:
- other_parameter = $parameter
-
-You can use $parameter before it is given a value (that is the second main
-difference with UNIX shell variables). The Postfix configuration language uses
-lazy evaluation, and does not look at a parameter value until it is needed at
-runtime.
-
-Whenever you make a change to the main.cf or master.cf file, execute the
-following command in order to refresh a running mail system:
-
- # postfix reload
-
-10.2 - Default domain for unqualified addresses
-
-First of all, you must specify what domain will be appended to an unqualified
-address (i.e. an address without @domain.tld). The "myorigin" parameter
-defaults to the local hostname, but that is probably OK only for very small
-sites.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- myorigin = $myhostname (send mail as "user@$myhostname")
- myorigin = $mydomain (send mail as "user@$mydomain")
-
-10.3 - What domains to receive locally
-
-Next you need to specify what mail addresses Postfix should deliver locally.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- mydestination = $myhostname, localhost.$mydomain, localhost
- mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
- mydestination = $myhostname
-
-The first example is appropriate for a workstation, the second is appropriate
-for the mailserver for an entire domain. The third example should be used when
-running on a virtual host interface.
-
-10.4 - Proxy/NAT interface addresses
-
-The proxy_interfaces parameter specifies all network addresses that Postfix
-receives mail on by way of a proxy or network address translation unit. You may
-specify symbolic hostnames instead of network addresses.
-
-IMPORTANT: You must specify your proxy/NAT external addresses when your system
-is a backup MX host for other domains, otherwise mail delivery loops will
-happen when the primary MX host is down.
-
-Example: host behind NAT box running a backup MX host.
-
- /etc/postfix/main.cf:
- proxy_interfaces = 1.2.3.4 (the proxy/NAT external network address)
-
-10.5 - What local clients to relay mail from
-
-If your machine is on an open network then you must specify what client IP
-addresses are authorized to relay their mail through your machine into the
-Internet. The default setting includes all subnetworks that the machine is
-attached to. This may give relay permission to too many clients. My own
-settings are:
-
- /etc/postfix/main.cf:
- mynetworks = 168.100.189.0/28, 127.0.0.0/8
-
-10.6 - What relay destinations to accept from strangers
-
-If your machine is on an open network then you must also specify whether
-Postfix will forward mail from strangers. The default setting will forward mail
-to all domains (and subdomains of) what is listed in $mydestination. This may
-give relay permission for too many destinations. Recommended settings (use only
-one):
-
- /etc/postfix/main.cf:
- relay_domains = (do not forward mail from strangers)
- relay_domains = $mydomain (my domain and subdomains)
- relay_domains = $mydomain, other.domain.tld, ...
-
-10.7 - Optional: configure a smart host for remote delivery
-
-If you're behind a firewall, you should set up a relayhost. If you can, specify
-the organizational domain name so that Postfix can use DNS lookups, and so that
-it can fall back to a secondary MX host when the primary MX host is down.
-Otherwise just specify a hard-coded hostname.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- relayhost = $mydomain
- relayhost = [mail.$mydomain]
-
-The form enclosed with [] eliminates DNS MX lookups.
-
-By default, the SMTP client will do DNS lookups even when you specify a relay
-host. If your machine has no access to a DNS server, turn off SMTP client DNS
-lookups like this:
-
- /etc/postfix/main.cf:
- disable_dns_lookups = yes
-
-The STANDARD_CONFIGURATION_README file has more hints and tips for firewalled
-and/or dial-up networks.
-
-10.8 - Create the aliases database
-
-Postfix uses a Sendmail-compatible aliases(5) table to redirect mail for local
-(8) recipients. Typically, this information is kept in two files: in a text
-file /etc/aliases and in an indexed file /etc/aliases.db. The command "postconf
-alias_maps" will tell you the exact location of the text file.
-
-First, be sure to update the text file with aliases for root, postmaster and
-"postfix" that forward mail to a real person. Postfix has a sample aliases file
-/etc/postfix/aliases that you can adapt to local conditions.
-
- /etc/aliases:
- root: you
- postmaster: root
- postfix: root
- bin: root
- etcetera...
-
-Note: there should be no whitespace before the ":".
-
-Finally, build the indexed aliases file with one of the following commands:
-
- # newaliases
- # sendmail -bi
-
-11 - To chroot or not to chroot
-
-Postfix daemon processes can be configured (via master.cf) to run in a chroot
-jail. The processes run at a fixed low privilege and with access only to the
-Postfix queue directories (/var/spool/postfix). This provides a significant
-barrier against intrusion. The barrier is not impenetrable, but every little
-bit helps.
-
-With the exception of Postfix daemons that deliver mail locally and/or that
-execute non-Postfix commands, every Postfix daemon can run chrooted.
-
-Sites with high security requirements should consider to chroot all daemons
-that talk to the network: the smtp(8) and smtpd(8) processes, and perhaps also
-the lmtp(8) client. The author's own porcupine.org mail server runs all daemons
-chrooted that can be chrooted.
-
-The default /etc/postfix/master.cf file specifies that no Postfix daemon runs
-chrooted. In order to enable chroot operation, edit the file /etc/postfix/
-master.cf. Instructions are in the file.
-
-Note that a chrooted daemon resolves all filenames relative to the Postfix
-queue directory (/var/spool/postfix). For successful use of a chroot jail, most
-UNIX systems require you to bring in some files or device nodes. The examples/
-chroot-setup directory in the source code distribution has a collection of
-scripts that help you set up Postfix chroot environments on different operating
-systems.
-
-Additionally, you almost certainly need to configure syslogd so that it listens
-on a socket inside the Postfix queue directory. Examples for specific systems:
-
-FreeBSD:
-
- # mkdir -p /var/spool/postfix/var/run
- # syslogd -l /var/spool/postfix/var/run/log
-
-Linux, OpenBSD:
-
- # mkdir -p /var/spool/postfix/dev
- # syslogd -a /var/spool/postfix/dev/log
-
-12 - Care and feeding of the Postfix system
-
-Postfix daemon processes run in the background, and log problems and normal
-activity to the syslog daemon. The names of logfiles are specified in /etc/
-syslog.conf. At the very least you need something like:
-
- /etc/syslog.conf:
- mail.err /dev/console
- mail.debug /var/log/maillog
-
-IMPORTANT: the syslogd will not create files. You must create them before
-(re)starting syslogd.
-
-IMPORTANT: on Linux you need to put a "-" character before the pathname, e.g.,
--/var/log/maillog, otherwise the syslogd will use more system resources than
-Postfix does.
-
-Hopefully, the number of problems will be small, but it is a good idea to run
-every night before the syslog files are rotated:
-
- # postfix check
- # egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
- * The first line (postfix check) causes Postfix to report file permission/
- ownership discrepancies.
-
- * The second line looks for problem reports from the mail software, and
- reports how effective the relay and junk mail access blocks are. This may
- produce a lot of output. You will want to apply some postprocessing to
- eliminate uninteresting information.
-
-The DEBUG_README document describes the meaning of the "warning" etc. labels in
-Postfix logging.
src/posttls-finger
MANDIRS = proto man html
LIBEXEC = libexec/post-install libexec/postfix-script libexec/postfix-wrapper \
- libexec/postmulti-script
+ libexec/postmulti-script libexec/postfix-tls-script
PLUGINS = meta/dynamicmaps.cf
META = meta/main.cf.proto meta/master.cf.proto meta/postfix-files \
meta/makedefs.out $(PLUGINS)
libexec/postfix-script: conf/postfix-script
rm -f $@ && ln -f $? $@
+libexec/postfix-tls-script: conf/postfix-tls-script
+ rm -f $@ && ln -f $? $@
+
libexec/postfix-wrapper: conf/postfix-wrapper
rm -f $@ && ln -f $? $@
-P\bPo\bos\bst\btf\bfi\bix\bx I\bIn\bns\bst\bta\bal\bll\bla\bat\bti\bio\bon\bn F\bFr\bro\bom\bm S\bSo\bou\bur\brc\bce\be C\bCo\bod\bde\be
-
--------------------------------------------------------------------------------
-
-1\b1 -\b- P\bPu\bur\brp\bpo\bos\bse\be o\bof\bf t\bth\bhi\bis\bs d\bdo\boc\bcu\bum\bme\ben\bnt\bt
-
-If you are using a pre-compiled version of Postfix, you should start with
-BASIC_CONFIGURATION_README and the general documentation referenced by it.
-INSTALL is only a bootstrap document to get Postfix up and running from scratch
-with the minimal number of steps; it should not be considered part of the
-general documentation.
-
-This document describes how to build, install and configure a Postfix system so
-that it can do one of the following:
-
- * Send mail only, without changing an existing Sendmail installation.
- * Send and receive mail via a virtual host interface, still without any
- change to an existing Sendmail installation.
- * Run Postfix instead of Sendmail.
-
-Topics covered in this document:
-
- 1. Purpose of this document
- 2. Typographical conventions
- 3. Documentation
- 4. Building on a supported system
- 5. Porting Postfix to an unsupported system
- 6. Installing the software after successful compilation
- 7. Configuring Postfix to send mail only
- 8. Configuring Postfix to send and receive mail via virtual interface
- 9. Running Postfix instead of Sendmail
-10. Mandatory configuration file edits
-11. To chroot or not to chroot
-12. Care and feeding of the Postfix system
-
-2\b2 -\b- T\bTy\byp\bpo\bog\bgr\bra\bap\bph\bhi\bic\bca\bal\bl c\bco\bon\bnv\bve\ben\bnt\bti\bio\bon\bns\bs
-
-In the instructions below, a command written as
-
- # command
-
-should be executed as the superuser.
-
-A command written as
-
- $ command
-
-should be executed as an unprivileged user.
-
-3\b3 -\b- D\bDo\boc\bcu\bum\bme\ben\bnt\bta\bat\bti\bio\bon\bn
-
-Documentation is available as README files (start with the file README_FILES/
-AAAREADME), as HTML web pages (point your browser to "html/index.html") and as
-UNIX-style manual pages.
-
-You should view the README files with a pager such as more(1) or less(1),
-because the files use backspace characters in order to produce b\bbo\bol\bld\bd font. To
-print a README file without backspace characters, use the col(1) command. For
-example:
-
- $ col -bx <file | lpr
-
-In order to view the manual pages before installing Postfix, point your MANPATH
-environment variable to the "man" subdirectory; be sure to use an absolute
-path.
-
- $ export MANPATH; MANPATH="`pwd`/man:$MANPATH"
- $ setenv MANPATH "`pwd`/man:$MANPATH"
-
-Of particular interest is the postconf(5) manual page that lists all the 500+
-configuration parameters. The HTML version of this text makes it easy to
-navigate around.
-
-All Postfix source files have their own built-in manual page. Tools to extract
-those embedded manual pages are available in the mantools directory.
-
-4\b4 -\b- B\bBu\bui\bil\bld\bdi\bin\bng\bg o\bon\bn a\ba s\bsu\bup\bpp\bpo\bor\brt\bte\bed\bd s\bsy\bys\bst\bte\bem\bm
-
-Postfix development happens on FreeBSD and MacOS X, with regular tests on Linux
-(Fedora, Ubuntu) and Solaris. Support for other systems relies on feedback from
-their users, and may not always be up-to-date.
-
-OpenBSD is partially supported. The libc resolver does not implement the
-documented "internal resolver options which are [...] set by changing fields in
-the _res structure" (documented in the OpenBSD 5.6 resolver(3) manpage). This
-results in too many DNS queries, and false positives for queries that should
-fail.
-
-Overview of topics:
-
- * 4.1 - Getting started
- * 4.2 - What compiler to use
- * 4.3 - Building with Postfix position-independent executables (Postfix >=
- 3.0)
- * 4.4 - Building with Postfix dynamically-linked libraries and database
- plugins (Postfix >= 3.0)
- * 4.5 - Building with optional features
- * 4.6 - Overriding built-in parameter default settings
- * 4.7 - Overriding other compile-time features
- * 4.8 - Support for thousands of processes
- * 4.9 - Compiling Postfix, at last
-
-4\b4.\b.1\b1 -\b- G\bGe\bet\btt\bti\bin\bng\bg s\bst\bta\bar\brt\bte\bed\bd
-
-On Solaris, the "make" command and other development utilities are in /usr/ccs/
-bin, so you MUST have /usr/ccs/bin in your command search path. If these files
-do not exist, you need to install the development packages first.
-
-If you need to build Postfix for multiple architectures from a single source-
-code tree, use the "lndir" command to build a shadow tree with symbolic links
-to the source files.
-
-If at any time in the build process you get messages like: "make: don't know
-how to ..." you should be able to recover by running the following command from
-the Postfix top-level directory:
-
- $ make -f Makefile.init makefiles
-
-If you copied the Postfix source code after building it on another machine, it
-is a good idea to cd into the top-level directory and first do this:
-
- $ make tidy
-
-This will get rid of any system dependencies left over from compiling the
-software elsewhere.
-
-4\b4.\b.2\b2 -\b- W\bWh\bha\bat\bt c\bco\bom\bmp\bpi\bil\ble\ber\br t\bto\bo u\bus\bse\be
-
-To build with GCC, or with the native compiler if people told me that is better
-for your system, just cd into the top-level Postfix directory of the source
-tree and type:
-
- $ make
-
-To build with a non-default compiler, you need to specify the name of the
-compiler. Here are a few examples:
-
- $ make makefiles CC=/opt/SUNWspro/bin/cc (Solaris)
- $ make
-
- $ make makefiles CC="/opt/ansic/bin/cc -Ae" (HP-UX)
- $ make
-
- $ make makefiles CC="purify cc"
- $ make
-
-and so on. In some cases, optimization will be turned off automatically.
-
-4\b4.\b.3\b3 -\b- B\bBu\bui\bil\bld\bdi\bin\bng\bg w\bwi\bit\bth\bh P\bPo\bos\bst\btf\bfi\bix\bx p\bpo\bos\bsi\bit\bti\bio\bon\bn-\b-i\bin\bnd\bde\bep\bpe\ben\bnd\bde\ben\bnt\bt e\bex\bxe\bec\bcu\but\bta\bab\bbl\ble\bes\bs (\b(P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.0\b0)\b)
-
-On some systems Postfix can be built with Position-Independent Executables. PIE
-is used by the ASLR exploit mitigation technique (ASLR = Address-Space Layout
-Randomization):
-
- $ make makefiles pie=yes ...other arguments...
-
-(Specify "make makefiles pie=no" to explicitly disable Postfix position-
-independent executable support).
-
-Postfix PIE support appears to work on Fedora Core 20, Ubuntu 14.04, FreeBSD 9
-and 10, and NetBSD 6 (all with the default system compilers).
-
-Whether the "pie=yes" above has any effect depends on the compiler. Some
-compilers always produce PIE executables, and some may even complain that the
-Postfix build option is redundant.
-
-4\b4.\b.4\b4 -\b- B\bBu\bui\bil\bld\bdi\bin\bng\bg w\bwi\bit\bth\bh P\bPo\bos\bst\btf\bfi\bix\bx d\bdy\byn\bna\bam\bmi\bic\bca\bal\bll\bly\by-\b-l\bli\bin\bnk\bke\bed\bd l\bli\bib\bbr\bra\bar\bri\bie\bes\bs a\ban\bnd\bd d\bda\bat\bta\bab\bba\bas\bse\be p\bpl\blu\bug\bgi\bin\bns\bs
-(\b(P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.0\b0)\b)
-
-Postfix dynamically-linked library and database plugin support exists for
-recent versions of Linux, FreeBSD and MacOS X. Dynamically-linked library
-builds may become the default at some point in the future.
-
-Overview of topics:
-
- * 4.4.1 Turning on Postfix dynamically-linked library support
- * 4.4.2 Turning on Postfix database-plugin support
- * 4.4.3 Customizing Postfix dynamically-linked libraries and database plugins
- * 4.4.4 Tips for distribution maintainers
-
-Note: directories with Postfix dynamically-linked libraries or database plugins
-should contain only postfix-related files. Postfix dynamically-linked libraries
-and database plugins should not be installed in a "public" system directory
-such as /usr/lib or /usr/local/lib. Linking Postfix dynamically-linked library
-or database-plugin files into non-Postfix programs is not supported. Postfix
-dynamically-linked libraries and database plugins implement a Postfix-internal
-API that changes without maintaining compatibility.
-
-4\b4.\b.4\b4.\b.1\b1 T\bTu\bur\brn\bni\bin\bng\bg o\bon\bn P\bPo\bos\bst\btf\bfi\bix\bx d\bdy\byn\bna\bam\bmi\bic\bca\bal\bll\bly\by-\b-l\bli\bin\bnk\bke\bed\bd l\bli\bib\bbr\bra\bar\bry\by s\bsu\bup\bpp\bpo\bor\brt\bt
-
-Postfix can be built with Postfix dynamically-linked libraries (files typically
-named libpostfix-*.so). Postfix dynamically-linked libraries add minor run-time
-overhead and result in significantly-smaller Postfix executable files.
-
-Specify "shared=yes" on the "make makefiles" command line to build Postfix with
-dynamically-linked library support.
-
- $ make makefiles shared=yes ...other arguments...
- $ make
-
-(Specify "make makefiles shared=no" to explicitly disable Postfix dynamically-
-linked library support).
-
-This installs dynamically-linked libraries in $shlib_directory, typically /usr/
-lib/postfix or /usr/local/lib/postfix, with file names libpostfix-name.so,
-where the name is a source-code directory name such as "util" or "global".
-
-See section 4.4.3 "Customizing Postfix dynamically-linked libraries and
-database plugins" below for how to customize the Postfix dynamically-linked
-library location, including support to upgrade a running mail system safely.
-
-4\b4.\b.4\b4.\b.2\b2 T\bTu\bur\brn\bni\bin\bng\bg o\bon\bn P\bPo\bos\bst\btf\bfi\bix\bx d\bda\bat\bta\bab\bba\bas\bse\be-\b-p\bpl\blu\bug\bgi\bin\bn s\bsu\bup\bpp\bpo\bor\brt\bt
-
-Additionally, Postfix can be built to support dynamic loading of Postfix
-database clients (database plugins) with the Debian-style dynamicmaps feature.
-Postfix 3.0 supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:,
-pgsql:, sdbm:, and sqlite: database clients. Dynamic loading is useful when you
-distribute or install pre-compiled Postfix packages.
-
-Specify "dynamicmaps=yes" on the "make makefiles" command line to build Postfix
-with support to dynamically load Postfix database clients with the Debian-style
-dynamicmaps feature.
-
- $ make makefiles dynamicmaps=yes ...other arguments...
- $ make
-
-(Specify "make makefiles dynamicmaps=no" to explicitly disable Postfix
-database-plugin support).
-
-This implicitly enables dynamically-linked library support, installs the
-configuration file dynamicmaps.cf in $meta_directory (usually, /etc/postfix or
-/usr/local/etc/postfix), and installs database plugins in $shlib_directory (see
-above). Database plugins are named postfix-type.so where the type is a database
-type such as "cdb" or "ldap".
-
- NOTE: The Postfix 3.0 build procedure expects that you specify database
- library dependencies with variables named AUXLIBS_CDB, AUXLIBS_LDAP, etc.
- With Postfix 3.0 and later, the old AUXLIBS variable still supports
- building a statically-loaded database client, but only the new AUXLIBS_CDB
- etc. variables support building a dynamically-loaded or statically-loaded
- CDB etc. database client. See CDB_README, LDAP_README, etc. for details.
-
- Failure to follow this advice will defeat the purpose of dynamic database
- client loading. Every Postfix executable file will have database library
- dependencies. And that was exactly what dynamic database client loading was
- meant to avoid.
-
-See the next section for how to customize the location and version of Postfix
-database plugins and the location of the file dynamicmaps.cf.
-
-4\b4.\b.4\b4.\b.3\b3 C\bCu\bus\bst\bto\bom\bmi\biz\bzi\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx d\bdy\byn\bna\bam\bmi\bic\bca\bal\bll\bly\by-\b-l\bli\bin\bnk\bke\bed\bd l\bli\bib\bbr\bra\bar\bri\bie\bes\bs a\ban\bnd\bd d\bda\bat\bta\bab\bba\bas\bse\be p\bpl\blu\bug\bgi\bin\bns\bs
-
-C\bCu\bus\bst\bto\bom\bmi\biz\bzi\bin\bng\bg b\bbu\bui\bil\bld\bd-\b-t\bti\bim\bme\be a\ban\bnd\bd r\bru\bun\bn-\b-t\bti\bim\bme\be o\bop\bpt\bti\bio\bon\bns\bs f\bfo\bor\br P\bPo\bos\bst\btf\bfi\bix\bx d\bdy\byn\bna\bam\bmi\bic\bca\bal\bll\bly\by-\b-l\bli\bin\bnk\bke\bed\bd
-l\bli\bib\bbr\bra\bar\bri\bie\bes\bs a\ban\bnd\bd d\bda\bat\bta\bab\bba\bas\bse\be p\bpl\blu\bug\bgi\bin\bns\bs
-
-The build-time environment variables SHLIB_CFLAGS, SHLIB_RPATH, and
-SHLIB_SUFFIX provide control over how Postfix libraries and plugins are
-compiled, linked, and named.
-
- $ make makefiles SHLIB_CFLAGS=flags SHLIB_RPATH=rpath SHLIB_SUFFIX=suffix
- ...other arguments...
- $ make
-
-See section 4.7 "Overriding other compile-time features" below for details.
-
-C\bCu\bus\bst\bto\bom\bmi\biz\bzi\bin\bng\bg t\bth\bhe\be l\blo\boc\bca\bat\bti\bio\bon\bn o\bof\bf P\bPo\bos\bst\btf\bfi\bix\bx d\bdy\byn\bna\bam\bmi\bic\bca\bal\bll\bly\by-\b-l\bli\bin\bnk\bke\bed\bd l\bli\bib\bbr\bra\bar\bri\bie\bes\bs a\ban\bnd\bd d\bda\bat\bta\bab\bba\bas\bse\be
-p\bpl\blu\bug\bgi\bin\bns\bs
-
-As a reminder, the directories with Postfix dynamically-linked libraries or
-database plugins should contain only Postfix-related files. Linking these files
-into other programs is not supported.
-
-To override the default location of Postfix dynamically-linked libraries and
-database plugins specify, for example:
-
- $ make makefiles shared=yes shlib_directory=/usr/local/lib/postfix ...
-
-If you intend to upgrade Postfix without stopping the mail system, then you
-should append the Postfix release version to the shlib_directory pathname, to
-eliminate the possibility that programs will link with dynamically-linked
-libraries or database plugins from the wrong Postfix version. For example:
-
- $ make makefiles shared=yes \
- shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-The command "make makefiles name=value..." will replace the string MAIL_VERSION
-at the end of a configuration parameter value with the Postfix release version.
-Do not try to specify something like $mail_version on this command line. This
-produces inconsistent results with different versions of the make(1) command.
-
-You can change the shlib_directory setting after Postfix is built, with "make
-install" or "make upgrade". However, you may have to run ldconfig if you change
-shlib_directory after Postfix is built (the symptom is that Postfix programs
-fail because the run-time linker cannot find the files libpostfix-*.so). No
-ldconfig command is needed if you keep the files libpostfix-*.so in the
-compiled-in default $shlib_directory location.
-
- # make upgrade shlib_directory=/usr/local/lib/postfix ...
- # make install shlib_directory=/usr/local/lib/postfix ...
-
-To append the Postfix release version to the pathname if you intend to upgrade
-Postfix without stopping the mail system:
-
- # make upgrade shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
- # make install shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-See also the comments above for appending MAIL_VERSION with the "make
-makefiles" command.
-
-C\bCu\bus\bst\bto\bom\bmi\biz\bzi\bin\bng\bg t\bth\bhe\be l\blo\boc\bca\bat\bti\bio\bon\bn o\bof\bf d\bdy\byn\bna\bam\bmi\bic\bcm\bma\bap\bps\bs.\b.c\bcf\bf a\ban\bnd\bd o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs
-
-The meta_directory parameter has the same default setting as the
-config_directory parameter, typically /etc/postfix or /usr/local/etc/postfix.
-
-You can override the default meta_directory location at compile time or after
-Postfix is built. To override the default location at compile time specify, for
-example:
-
- % make makefiles meta_directory=/usr/libexec/postfix ...
-
-Here is a tip if you want to make a pathname dependent on the Postfix release
-version: the command "make makefiles name=value..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-You can override the meta_directory setting after Postfix is built, with "make
-install" or "make upgrade".
-
- # make upgrade meta_directory=/usr/libexec/postfix ...
- # make install meta_directory=/usr/libexec/postfix ...
-
-As with the command "make makefiles, the command "make install/upgrade
-name=value..." will replace the string MAIL_VERSION at the end of a
-configuration parameter value with the Postfix release version. Do not try to
-specify something like $mail_version on this command line. This produces
-inconsistent results with different versions of the make(1) command.
-
-4\b4.\b.4\b4.\b.4\b4 T\bTi\bip\bps\bs f\bfo\bor\br d\bdi\bis\bst\btr\bri\bib\bbu\but\bti\bio\bon\bn m\bma\bai\bin\bnt\bta\bai\bin\bne\ber\brs\bs
-
- * The shlib_directory parameter setting also provides the default directory
- for database plugin files with a relative pathname in the file
- dynamicmaps.cf.
-
- * The meta_directory parameter specifies the location of the files
- dynamicmaps.cf, postfix-files, and some multi-instance template files. The
- meta_directory parameter has the same default value as the config_directory
- parameter (typically, /etc/postfix or /usr/local/etc/postfix). For
- backwards compatibility with Postfix 2.6 .. 2.11, specify "meta_directory =
- $daemon_directory" in main.cf before installing or upgrading Postfix, or
- specify "meta_directory = /path/name" on the "make makefiles", "make
- install" or "make upgrade" command line.
-
- * The configuration file dynamicmaps.cf will automatically include files
- under the directory dynamicmaps.cf.d, just like the configuration file
- postfix-files will automatically include files under the directory postfix-
- files.d. Thanks to this, you can install or deinstall a database plugin
- package without having to edit postfix-files or dynamicmaps.cf. Instead,
- you give that plugin its own configuration files dynamicmaps.cf.d and
- postfix-files.d, and you add or remove those configuration files along with
- the database plugin dynamically-linked object.
-
- * Each configuration file under the directory dynamicmaps.cf.d must have the
- same format as the configuration file dynamicmaps.cf. There is no
- requirement that these configuration file *names* have a specific format.
-
- * Each configuration file under the directory postfix-files.d must have the
- same format as the configuration file postfix-files. There is no
- requirement that these configuration file *names* have a specific format.
-
-4\b4.\b.5\b5 -\b- B\bBu\bui\bil\bld\bdi\bin\bng\bg w\bwi\bit\bth\bh o\bop\bpt\bti\bio\bon\bna\bal\bl f\bfe\bea\bat\btu\bur\bre\bes\bs
-
-By default, Postfix builds as a mail system with relatively few bells and
-whistles. Support for third-party databases etc. must be configured when
-Postfix is compiled. The following documents describe how to build Postfix with
-support for optional features:
-
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
- |O\bOp\bpt\bti\bio\bon\bna\bal\bl f\bfe\bea\bat\btu\bur\bre\be |D\bDo\boc\bcu\bum\bme\ben\bnt\bt |A\bAv\bva\bai\bil\bla\bab\bbi\bil\bli\bit\bty\by|
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |Berkeley DB database |DB_README |Postfix 1.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |LMDB database |LMDB_README |Postfix 2.11|
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |LDAP database |LDAP_README |Postfix 1.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |MySQL database |MYSQL_README |Postfix 1.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |Perl compatible regular expression|PCRE_README |Postfix 1.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |PostgreSQL database |PGSQL_README |Postfix 2.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |SASL authentication |SASL_README |Postfix 1.0 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |SQLite database |SQLITE_README|Postfix 2.8 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |STARTTLS session encryption |TLS_README |Postfix 2.2 |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-
-Note: IP version 6 support is compiled into Postfix on operating systems that
-have IPv6 support. See the IPV6_README file for details.
-
-4\b4.\b.6\b6 -\b- O\bOv\bve\ber\brr\bri\bid\bdi\bin\bng\bg b\bbu\bui\bil\blt\bt-\b-i\bin\bn p\bpa\bar\bra\bam\bme\bet\bte\ber\br d\bde\bef\bfa\bau\bul\blt\bt s\bse\bet\btt\bti\bin\bng\bgs\bs
-
-4\b4.\b.6\b6.\b.1\b1 -\b- P\bPo\bos\bst\btf\bfi\bix\bx 3\b3.\b.0\b0 a\ban\bnd\bd l\bla\bat\bte\ber\br
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
- $ make makefiles config_directory=/some/where ...other arguments...
- $ make
-
-The command "make makefiles name=value ..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
- |p\bpa\bar\bra\bam\bme\bet\bte\ber\br n\bna\bam\bme\be |t\bty\byp\bpi\bic\bca\bal\bl d\bde\bef\bfa\bau\bul\blt\bt |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |command_directory |/usr/sbin |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |config_directory |/etc/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |default_database_type|hash |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |daemon_directory |/usr/libexec/postfix|
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |data_directory |/var/lib/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |html_directory |no |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |mail_spool_directory |/var/mail |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |mailq_path |/usr/bin/mailq |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |manpage_directory |/usr/local/man |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |meta_directory |/etc/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |newaliases_path |/usr/bin/newaliases |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |queue_directory |/var/spool/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |readme_directory |no |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |sendmail_path |/usr/sbin/sendmail |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |shlib_directory |/usr/lib/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-
-4\b4.\b.6\b6.\b.2\b2 -\b- A\bAl\bll\bl P\bPo\bos\bst\btf\bfi\bix\bx v\bve\ber\brs\bsi\bio\bon\bns\bs
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
- $ make makefiles CCARGS='-DDEF_CONFIG_DIR=\"/some/where\"'
- $ make
-
-IMPORTANT: Be sure to get the quotes right. These details matter a lot.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
- |M\bMa\bac\bcr\bro\bo n\bna\bam\bme\be |d\bde\bef\bfa\bau\bul\blt\bt v\bva\bal\blu\bue\be f\bfo\bor\br |t\bty\byp\bpi\bic\bca\bal\bl d\bde\bef\bfa\bau\bul\blt\bt |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_COMMAND_DIR |command_directory |/usr/sbin |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_CONFIG_DIR |config_directory |/etc/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_DB_TYPE |default_database_type|hash |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix|
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_DATA_DIR |data_directory |/var/lib/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_HTML_DIR |html_directory |no |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_MANPAGE_DIR |manpage_directory |/usr/local/man |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_NEWALIAS_PATH|newaliases_path |/usr/bin/newaliases |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_QUEUE_DIR |queue_directory |/var/spool/postfix |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_README_DIR |readme_directory |no |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-
-Note: the data_directory parameter (for caches and pseudo-random numbers) was
-introduced with Postfix version 2.5.
-
-4\b4.\b.7\b7 -\b- O\bOv\bve\ber\brr\bri\bid\bdi\bin\bng\bg o\bot\bth\bhe\ber\br c\bco\bom\bmp\bpi\bil\ble\be-\b-t\bti\bim\bme\be f\bfe\bea\bat\btu\bur\bre\bes\bs
-
-The general method to override Postfix compile-time features is as follows:
-
- $ make makefiles name=value name=value...
- $ make
-
-The following is an extensive list of names and values.
-
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
-|N\bNa\bam\bme\be/\b/V\bVa\bal\blu\bue\be |D\bDe\bes\bsc\bcr\bri\bip\bpt\bti\bio\bon\bn |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies one or more non-default object |
-| |libraries. Postfix 3.0 and later specify some |
-| |of their database library dependencies with |
-|AUXLIBS="object_library..." |AUXLIBS_CDB, AUXLIBS_LDAP, AUXLIBS_LMDB, |
-| |AUXLIBS_MYSQL, AUXLIBS_PCRE, AUXLIBS_PGSQL, |
-| |AUXLIBS_SDBM, and AUXLIBS_SQLITE, |
-| |respectively. |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|CC=compiler_command |Specifies a non-default compiler. On many |
-| |systems, the default is gcc. |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies non-default compiler arguments, for |
-|CCARGS="compiler_arguments..."|example, a non-default include directory. The |
-| |following directives turn off Postfix features|
-| |at compile time: |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with Berkeley DB support. By |
-|| |default, Berkeley DB support is compiled in on|
-||-DNO_DB |platforms that are known to support this |
-|| |feature. If you override this, then you |
-|| |probably should also override DEF_DB_TYPE as |
-|| |described in section 4.6. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-||-DNO_DNSSEC |Do not build with DNSSEC support, even if the |
-|| |resolver library appears to support it. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with Solaris /dev/poll support. |
-||-DNO_DEVPOLL |By default, /dev/poll support is compiled in |
-|| |on Solaris versions that are known to support |
-|| |this feature. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with Linux EPOLL support. By |
-||-DNO_EPOLL |default, EPOLL support is compiled in on |
-|| |platforms that are known to support this |
-|| |feature. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with EAI (SMTPUTF8) support. By |
-||-DNO_EAI |default, EAI support is compiled in when the |
-|| |"icuuc" library and header files are found. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not require support for C99 "inline" |
-||-DNO_INLINE |functions. Instead, implement argument |
-|| |typechecks for non-printf/scanf-like functions|
-|| |with ternary operators and unreachable code. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with IPv6 support. By default, |
-|| |IPv6 support is compiled in on platforms that |
-||-DNO_IPV6 |are known to have IPv6 support. Note: this |
-|| |directive is for debugging and testing only. |
-|| |It is not guaranteed to work on all platforms.|
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with FreeBSD / NetBSD / OpenBSD /|
-||-DNO_KQUEUE |MacOSX KQUEUE support. By default, KQUEUE |
-|| |support is compiled in on platforms that are |
-|| |known to support it. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with NIS or NISPLUS support. NIS |
-||-DNO_NIS |is not available on some recent Linux |
-|| |distributions. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with NISPLUS support. NISPLUS is |
-||-DNO_NISPLUS |not available on some recent Solaris |
-|| |distributions. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Do not build with PCRE support. By default, |
-||-DNO_PCRE |PCRE support is compiled in when the pcre- |
-|| |config utility is installed. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Disable support for POSIX getpwnam_r/ |
-||-DNO_POSIX_GETPW_R |getpwuid_r. By default Postfix uses these |
-|| |where they are known to be available. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-|| |Use setjmp()/longjmp() instead of sigsetjmp()/|
-||-DNO_SIGSETJMP |siglongjmp(). By default, Postfix uses |
-|| |sigsetjmp()/siglongjmp() when they are known |
-|| |to be available. |
-|_\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies a non-default compiler debugging |
-|DEBUG=debug_level |level. The default is "-g". Specify DEBUG= to |
-| |turn off debugging. |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies a non-default optimization level. |
-|OPT=optimization_level |The default is "-O". Specify OPT= to turn off |
-| |optimization. |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies non-default compiler options for |
-|SHLIB_CFLAGS=flags |building Postfix dynamically-linked libraries |
-| |and database plugins. The typical default is |
-| |"-fPIC". |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies a non-default runpath for Postfix |
-|SHLIB_RPATH=rpath |dynamically-linked libraries. The typical |
-| |default is "'-Wl,-rpath,${SHLIB_DIR}'". |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies a non-default suffix for Postfix |
-|SHLIB_SUFFIX=suffix |dynamically-linked libraries and database |
-| |plugins. The typical default is ".so". |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-| |Specifies non-default compiler warning options|
-|WARN="warning_flags..." |for use when "make" is invoked in a source |
-| |subdirectory only. |
-|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
-
-4\b4.\b.8\b8 -\b- S\bSu\bup\bpp\bpo\bor\brt\bt f\bfo\bor\br t\bth\bho\bou\bus\bsa\ban\bnd\bds\bs o\bof\bf p\bpr\bro\boc\bce\bes\bss\bse\bes\bs
-
-The number of connections that Postfix can manage simultaneously is limited by
-the number of processes that it can run. This number in turn is limited by the
-number of files and sockets that a single process can open. For example, the
-Postfix queue manager has a separate connection to each delivery process, and
-the anvil(8) server has one connection per smtpd(8) process.
-
-Postfix version 2.4 and later have no built-in limits on the number of open
-files or sockets, when compiled on systems that support one of the following:
-
- * BSD kqueue(2) (FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9),
- * Solaris 8 /dev/poll,
- * Linux 2.6 epoll(4).
-
-With other Postfix versions or operating systems, the number of file
-descriptors per process is limited by the value of the FD_SETSIZE macro. If you
-expect to run more than 1000 mail delivery processes, you may need to override
-the definition of the FD_SETSIZE macro to make select() work correctly:
-
- $ make makefiles CCARGS=-DFD_SETSIZE=2048
-
-Warning: the above has no effect on some Linux versions. Apparently, on these
-systems the FD_SETSIZE value can be changed only by using undocumented
-interfaces. Currently, that means including <bits/types.h> directly (which is
-not allowed) and overriding the __FD_SETSIZE macro. Beware, undocumented
-interfaces can change at any time and without warning.
-
-But wait, there is more: none of this will work unless the operating system is
-configured to handle thousands of connections. See the TUNING_README guide for
-examples of how to increase the number of open sockets or files.
-
-4\b4.\b.9\b9 -\b- C\bCo\bom\bmp\bpi\bil\bli\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx,\b, a\bat\bt l\bla\bas\bst\bt
-
-If the command
-
- $ make
-
-is successful, then you can proceed to install Postfix (section 6).
-
-If the command produces compiler error messages, it may be time to search the
-web or to ask the postfix-users@postfix.org mailing list, but be sure to search
-the mailing list archives first. Some mailing list archives are linked from
-http://www.postfix.org/.
-
-5\b5 -\b- P\bPo\bor\brt\bti\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx t\bto\bo a\ban\bn u\bun\bns\bsu\bup\bpp\bpo\bor\brt\bte\bed\bd s\bsy\bys\bst\bte\bem\bm
-
-Each system type that Postfix knows is identified by a unique name. Examples:
-SUNOS5, FREEBSD4, and so on. When porting Postfix to a new system, the first
-step is to choose a SYSTEMTYPE name for the new system. You must use a name
-that includes at least the major version of the operating system (such as
-SUNOS4 or LINUX2), so that different releases of the same system can be
-supported without confusion.
-
-Add a case statement to the "makedefs" shell script in the source code top-
-level directory that recognizes the new system reliably, and that emits the
-right system-specific information. Be sure to make the code robust against user
-PATH settings; if the system offers multiple UNIX flavors (e.g. BSD and SYSV)
-be sure to build for the native flavor, instead of the emulated one.
-
-Add an "#ifdef SYSTEMTYPE" section to the central util/sys_defs.h include file.
-You may have to invent new feature macro names. Please choose sensible feature
-macro names such as HAS_DBM or FIONREAD_IN_SYS_FILIO_H.
-
-I strongly recommend against using "#ifdef SYSTEMTYPE" in individual source
-files. While this may look like the quickest solution, it will create a mess
-when newer versions of the same SYSTEMTYPE need to be supported. You're likely
-to end up placing "#ifdef" sections all over the source code again.
-
-6\b6 -\b- I\bIn\bns\bst\bta\bal\bll\bli\bin\bng\bg t\bth\bhe\be s\bso\bof\bft\btw\bwa\bar\bre\be a\baf\bft\bte\ber\br s\bsu\buc\bcc\bce\bes\bss\bsf\bfu\bul\bl c\bco\bom\bmp\bpi\bil\bla\bat\bti\bio\bon\bn
-
-This text describes how to install Postfix from source code. See the
-PACKAGE_README file if you are building a package for distribution to other
-systems.
-
-6\b6.\b.1\b1 -\b- S\bSa\bav\bve\be e\bex\bxi\bis\bst\bti\bin\bng\bg S\bSe\ben\bnd\bdm\bma\bai\bil\bl b\bbi\bin\bna\bar\bri\bie\bes\bs
-
-IMPORTANT: if you are REPLACING an existing Sendmail installation with Postfix,
-you may need to keep the old sendmail program running for some time in order to
-flush the mail queue.
-
- * Some systems implement a mail switch mechanism where different MTAs
- (Postfix, Sendmail, etc.) can be installed at the same time, while only one
- of them is actually being used. Examples of such switching mechanisms are
- the FreeBSD mailwrapper(8) or the Linux mail switch. In this case you
- should try to "flip" the switch to "Postfix" before installing Postfix.
-
- * If your system has no mail switch mechanism, execute the following commands
- (your sendmail, newaliases and mailq programs may be in a different place):
-
- # mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
- # mv /usr/bin/newaliases /usr/bin/newaliases.OFF
- # mv /usr/bin/mailq /usr/bin/mailq.OFF
- # chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF \
- /usr/bin/mailq.OFF
-
-6\b6.\b.2\b2 -\b- C\bCr\bre\bea\bat\bte\be a\bac\bcc\bco\bou\bun\bnt\bt a\ban\bnd\bd g\bgr\bro\bou\bup\bps\bs
-
-Before you install Postfix for the first time you need to create an account and
-a group:
-
- * Create a user account "postfix" with a user id and group id that are not
- used by any other user account. Preferably, this is an account that no-one
- can log into. The account does not need an executable login shell, and
- needs no existing home directory. My password and group file entries look
- like this:
-
- /etc/passwd:
- postfix:*:12345:12345:postfix:/no/where:/no/shell
-
- /etc/group:
- postfix:*:12345:
-
- Note: there should be no whitespace before "postfix:".
-
- * Create a group "postdrop" with a group id that is not used by any other
- user account. Not even by the postfix user account. My group file entry
- looks like:
-
- /etc/group:
- postdrop:*:54321:
-
- Note: there should be no whitespace before "postdrop:".
-
-6\b6.\b.3\b3 -\b- I\bIn\bns\bst\bta\bal\bll\bl P\bPo\bos\bst\btf\bfi\bix\bx
-
-To install or upgrade Postfix from compiled source code, run one of the
-following commands as the super-user:
-
- # make install (interactive version, first time install)
-
- # make upgrade (non-interactive version, for upgrades)
-
- * The interactive version ("make install") asks for pathnames for Postfix
- data and program files, and stores your preferences in the main.cf file. I\bIf\bf
- y\byo\bou\bu d\bdo\bon\bn'\b't\bt w\bwa\ban\bnt\bt P\bPo\bos\bst\btf\bfi\bix\bx t\bto\bo o\bov\bve\ber\brw\bwr\bri\bit\bte\be n\bno\bon\bn-\b-P\bPo\bos\bst\btf\bfi\bix\bx "\b"s\bse\ben\bnd\bdm\bma\bai\bil\bl"\b",\b, "\b"m\bma\bai\bil\blq\bq"\b" a\ban\bnd\bd
- "\b"n\bne\bew\bwa\bal\bli\bia\bas\bse\bes\bs"\b" f\bfi\bil\ble\bes\bs,\b, s\bsp\bpe\bec\bci\bif\bfy\by p\bpa\bat\bth\bhn\bna\bam\bme\bes\bs t\bth\bha\bat\bt e\ben\bnd\bd i\bin\bn "\b".\b.p\bpo\bos\bst\btf\bfi\bix\bx"\b".
-
- * The non-interactive version ("make upgrade") needs the /etc/postfix/main.cf
- file from a previous installation. If the file does not exist, use
- interactive installation ("make install") instead.
-
- * If you specify name=value arguments on the "make install" or "make upgrade"
- command line, then these will take precedence over compiled-in default
- settings or main.cf settings.
-
- The command "make install/upgrade name=value ..." will replace the string
- MAIL_VERSION at the end of a configuration parameter value with the Postfix
- release version. Do not try to specify something like $mail_version on this
- command line. This produces inconsistent results with different versions of
- the make(1) command.
-
-6\b6.\b.4\b4 -\b- C\bCo\bon\bnf\bfi\big\bgu\bur\bre\be P\bPo\bos\bst\btf\bfi\bix\bx
-
-Proceed to the section on how you wish to run Postfix on your particular
-machine:
-
- * Send mail only, without changing an existing Sendmail installation (section
- 7).
-
- * Send and receive mail via a virtual host interface, still without any
- change to an existing Sendmail installation (section 8).
-
- * Run Postfix instead of Sendmail (section 9).
-
-7\b7 -\b- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx t\bto\bo s\bse\ben\bnd\bd m\bma\bai\bil\bl o\bon\bnl\bly\by
-
-If you are going to use Postfix to send mail only, there is no need to change
-your existing sendmail setup. Instead, set up your mail user agent so that it
-calls the Postfix sendmail program directly.
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf, in order
-to avoid conflicts with the real sendmail. Put a "#" character in front of the
-line that defines the smtpd service:
-
- /etc/postfix/master.cf:
- #smtp inet n - n - - smtpd
-
-Start the Postfix system:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-8\b8 -\b- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx t\bto\bo s\bse\ben\bnd\bd a\ban\bnd\bd r\bre\bec\bce\bei\biv\bve\be m\bma\bai\bil\bl v\bvi\bia\ba v\bvi\bir\brt\btu\bua\bal\bl i\bin\bnt\bte\ber\brf\bfa\bac\bce\be
-
-Alternatively, you can use the Postfix system to send AND receive mail while
-leaving your Sendmail setup intact, by running Postfix on a virtual interface
-address. Simply configure your mail user agent to directly invoke the Postfix
-sendmail program.
-
-To create a virtual network interface address, study your system ifconfig
-manual page. The command syntax could be any of:
-
- # i
\bif
\bfc
\bco
\bon
\bnf
\bfi
\big
\bg l
\ble
\be0
\b0:
\b:1
\b1 <
\b<a
\bad
\bdd
\bdr
\bre
\bes
\bss
\bs>
\b> n
\bne
\bet
\btm
\bma
\bas
\bsk
\bk <
\b<m
\bma
\bas
\bsk
\bk>
\b> u
\bup
\bp
- # i
\bif
\bfc
\bco
\bon
\bnf
\bfi
\big
\bg e
\ben
\bn0
\b0 a
\bal
\bli
\bia
\bas
\bs <
\b<a
\bad
\bdd
\bdr
\bre
\bes
\bss
\bs>
\b> n
\bne
\bet
\btm
\bma
\bas
\bsk
\bk 2
\b25
\b55
\b5.
\b.2
\b25
\b55
\b5.
\b.2
\b25
\b55
\b5.
\b.2
\b25
\b55
\b5
-
-In the /etc/postfix/main.cf file, I would specify
-
- /etc/postfix/main.cf:
- myhostname = virtual.host.tld
- inet_interfaces = $myhostname
- mydestination = $myhostname
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-Start the Postfix system:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-9\b9 -\b- R\bRu\bun\bnn\bni\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx i\bin\bns\bst\bte\bea\bad\bd o\bof\bf S\bSe\ben\bnd\bdm\bma\bai\bil\bl
-
-Prior to installing Postfix you should save any existing sendmail program files
-as described in section 6. Be sure to keep the old sendmail running for at
-least a couple days to flush any unsent mail. To do so, stop the sendmail
-daemon and restart it as:
-
- # /usr/sbin/sendmail.OFF -q
-
-Note: this is old sendmail syntax. Newer versions use separate processes for
-mail submission and for running the queue.
-
-After you have visited the "Mandatory configuration file edits" section below,
-you can start the Postfix system with:
-
- # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
- # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
- $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
- $ mailq
-
- $ sendmail -bp
-
- $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-1\b10\b0 -\b- M\bMa\ban\bnd\bda\bat\bto\bor\bry\by c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn f\bfi\bil\ble\be e\bed\bdi\bit\bts\bs
-
-Note: the material covered in this section is covered in more detail in the
-BASIC_CONFIGURATION_README document. The information presented below is
-targeted at experienced system administrators.
-
-1\b10\b0.\b.1\b1 -\b- P\bPo\bos\bst\btf\bfi\bix\bx c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn f\bfi\bil\ble\bes\bs
-
-By default, Postfix configuration files are in /etc/postfix. The two most
-important files are main.cf and master.cf; these files must be owned by root.
-Giving someone else write permission to main.cf or master.cf (or to their
-parent directories) means giving root privileges to that person.
-
-In /etc/postfix/main.cf, you will have to set up a minimal number of
-configuration parameters. Postfix configuration parameters resemble shell
-variables, with two important differences: the first one is that Postfix does
-not know about quotes like the UNIX shell does.
-
-You specify a configuration parameter as:
-
- /etc/postfix/main.cf:
- parameter = value
-
-and you use it by putting a "$" character in front of its name:
-
- /etc/postfix/main.cf:
- other_parameter = $parameter
-
-You can use $parameter before it is given a value (that is the second main
-difference with UNIX shell variables). The Postfix configuration language uses
-lazy evaluation, and does not look at a parameter value until it is needed at
-runtime.
-
-Whenever you make a change to the main.cf or master.cf file, execute the
-following command in order to refresh a running mail system:
-
- # postfix reload
-
-1\b10\b0.\b.2\b2 -\b- D\bDe\bef\bfa\bau\bul\blt\bt d\bdo\bom\bma\bai\bin\bn f\bfo\bor\br u\bun\bnq\bqu\bua\bal\bli\bif\bfi\bie\bed\bd a\bad\bdd\bdr\bre\bes\bss\bse\bes\bs
-
-First of all, you must specify what domain will be appended to an unqualified
-address (i.e. an address without @domain.tld). The "myorigin" parameter
-defaults to the local hostname, but that is probably OK only for very small
-sites.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- myorigin = $myhostname (send mail as "user@$myhostname")
- myorigin = $mydomain (send mail as "user@$mydomain")
-
-1\b10\b0.\b.3\b3 -\b- W\bWh\bha\bat\bt d\bdo\bom\bma\bai\bin\bns\bs t\bto\bo r\bre\bec\bce\bei\biv\bve\be l\blo\boc\bca\bal\bll\bly\by
-
-Next you need to specify what mail addresses Postfix should deliver locally.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- mydestination = $myhostname, localhost.$mydomain, localhost
- mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
- mydestination = $myhostname
-
-The first example is appropriate for a workstation, the second is appropriate
-for the mailserver for an entire domain. The third example should be used when
-running on a virtual host interface.
-
-1\b10\b0.\b.4\b4 -\b- P\bPr\bro\box\bxy\by/\b/N\bNA\bAT\bT i\bin\bnt\bte\ber\brf\bfa\bac\bce\be a\bad\bdd\bdr\bre\bes\bss\bse\bes\bs
-
-The proxy_interfaces parameter specifies all network addresses that Postfix
-receives mail on by way of a proxy or network address translation unit. You may
-specify symbolic hostnames instead of network addresses.
-
-IMPORTANT: You must specify your proxy/NAT external addresses when your system
-is a backup MX host for other domains, otherwise mail delivery loops will
-happen when the primary MX host is down.
-
-Example: host behind NAT box running a backup MX host.
-
- /etc/postfix/main.cf:
- proxy_interfaces = 1.2.3.4 (the proxy/NAT external network address)
-
-1\b10\b0.\b.5\b5 -\b- W\bWh\bha\bat\bt l\blo\boc\bca\bal\bl c\bcl\bli\bie\ben\bnt\bts\bs t\bto\bo r\bre\bel\bla\bay\by m\bma\bai\bil\bl f\bfr\bro\bom\bm
-
-If your machine is on an open network then you must specify what client IP
-addresses are authorized to relay their mail through your machine into the
-Internet. The default setting includes all subnetworks that the machine is
-attached to. This may give relay permission to too many clients. My own
-settings are:
-
- /etc/postfix/main.cf:
- mynetworks = 168.100.189.0/28, 127.0.0.0/8
-
-1\b10\b0.\b.6\b6 -\b- W\bWh\bha\bat\bt r\bre\bel\bla\bay\by d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bns\bs t\bto\bo a\bac\bcc\bce\bep\bpt\bt f\bfr\bro\bom\bm s\bst\btr\bra\ban\bng\bge\ber\brs\bs
-
-If your machine is on an open network then you must also specify whether
-Postfix will forward mail from strangers. The default setting will forward mail
-to all domains (and subdomains of) what is listed in $mydestination. This may
-give relay permission for too many destinations. Recommended settings (use only
-one):
-
- /etc/postfix/main.cf:
- relay_domains = (do not forward mail from strangers)
- relay_domains = $mydomain (my domain and subdomains)
- relay_domains = $mydomain, other.domain.tld, ...
-
-1\b10\b0.\b.7\b7 -\b- O\bOp\bpt\bti\bio\bon\bna\bal\bl:\b: c\bco\bon\bnf\bfi\big\bgu\bur\bre\be a\ba s\bsm\bma\bar\brt\bt h\bho\bos\bst\bt f\bfo\bor\br r\bre\bem\bmo\bot\bte\be d\bde\bel\bli\biv\bve\ber\bry\by
-
-If you're behind a firewall, you should set up a relayhost. If you can, specify
-the organizational domain name so that Postfix can use DNS lookups, and so that
-it can fall back to a secondary MX host when the primary MX host is down.
-Otherwise just specify a hard-coded hostname.
-
-Some examples (use only one):
-
- /etc/postfix/main.cf:
- relayhost = $mydomain
- relayhost = [mail.$mydomain]
-
-The form enclosed with [] eliminates DNS MX lookups.
-
-By default, the SMTP client will do DNS lookups even when you specify a relay
-host. If your machine has no access to a DNS server, turn off SMTP client DNS
-lookups like this:
-
- /etc/postfix/main.cf:
- disable_dns_lookups = yes
-
-The STANDARD_CONFIGURATION_README file has more hints and tips for firewalled
-and/or dial-up networks.
-
-1\b10\b0.\b.8\b8 -\b- C\bCr\bre\bea\bat\bte\be t\bth\bhe\be a\bal\bli\bia\bas\bse\bes\bs d\bda\bat\bta\bab\bba\bas\bse\be
-
-Postfix uses a Sendmail-compatible aliases(5) table to redirect mail for local
-(8) recipients. Typically, this information is kept in two files: in a text
-file /etc/aliases and in an indexed file /etc/aliases.db. The command "postconf
-alias_maps" will tell you the exact location of the text file.
-
-First, be sure to update the text file with aliases for root, postmaster and
-"postfix" that forward mail to a real person. Postfix has a sample aliases file
-/etc/postfix/aliases that you can adapt to local conditions.
-
- /etc/aliases:
- root: you
- postmaster: root
- postfix: root
- bin: root
- etcetera...
-
-Note: there should be no whitespace before the ":".
-
-Finally, build the indexed aliases file with one of the following commands:
-
- # newaliases
- # sendmail -bi
-
-1\b11\b1 -\b- T\bTo\bo c\bch\bhr\bro\boo\bot\bt o\bor\br n\bno\bot\bt t\bto\bo c\bch\bhr\bro\boo\bot\bt
-
-Postfix daemon processes can be configured (via master.cf) to run in a chroot
-jail. The processes run at a fixed low privilege and with access only to the
-Postfix queue directories (/var/spool/postfix). This provides a significant
-barrier against intrusion. The barrier is not impenetrable, but every little
-bit helps.
-
-With the exception of Postfix daemons that deliver mail locally and/or that
-execute non-Postfix commands, every Postfix daemon can run chrooted.
-
-Sites with high security requirements should consider to chroot all daemons
-that talk to the network: the smtp(8) and smtpd(8) processes, and perhaps also
-the lmtp(8) client. The author's own porcupine.org mail server runs all daemons
-chrooted that can be chrooted.
-
-The default /etc/postfix/master.cf file specifies that no Postfix daemon runs
-chrooted. In order to enable chroot operation, edit the file /etc/postfix/
-master.cf. Instructions are in the file.
-
-Note that a chrooted daemon resolves all filenames relative to the Postfix
-queue directory (/var/spool/postfix). For successful use of a chroot jail, most
-UNIX systems require you to bring in some files or device nodes. The examples/
-chroot-setup directory in the source code distribution has a collection of
-scripts that help you set up Postfix chroot environments on different operating
-systems.
-
-Additionally, you almost certainly need to configure syslogd so that it listens
-on a socket inside the Postfix queue directory. Examples for specific systems:
-
-FreeBSD:
-
- # mkdir -p /var/spool/postfix/var/run
- # syslogd -l /var/spool/postfix/var/run/log
-
-Linux, OpenBSD:
-
- # mkdir -p /var/spool/postfix/dev
- # syslogd -a /var/spool/postfix/dev/log
-
-1\b12\b2 -\b- C\bCa\bar\bre\be a\ban\bnd\bd f\bfe\bee\bed\bdi\bin\bng\bg o\bof\bf t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx s\bsy\bys\bst\bte\bem\bm
-
-Postfix daemon processes run in the background, and log problems and normal
-activity to the syslog daemon. The names of logfiles are specified in /etc/
-syslog.conf. At the very least you need something like:
-
- /etc/syslog.conf:
- mail.err /dev/console
- mail.debug /var/log/maillog
-
-IMPORTANT: the syslogd will not create files. You must create them before
-(re)starting syslogd.
-
-IMPORTANT: on Linux you need to put a "-" character before the pathname, e.g.,
--/var/log/maillog, otherwise the syslogd will use more system resources than
-Postfix does.
-
-Hopefully, the number of problems will be small, but it is a good idea to run
-every night before the syslog files are rotated:
-
- # postfix check
- # egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
- * The first line (postfix check) causes Postfix to report file permission/
- ownership discrepancies.
-
- * The second line looks for problem reports from the mail software, and
- reports how effective the relay and junk mail access blocks are. This may
- produce a lot of output. You will want to apply some postprocessing to
- eliminate uninteresting information.
-
-The DEBUG_README document describes the meaning of the "warning" etc. labels in
-Postfix logging.
-
<---seed---- ----seed--->
Network-> smtpd(8) tlsmgr(8) smtp(8) ->Network
- <-key/cert-> <-key/cert->
+ <-key/cert-> <-key/cert->
/ | \
|
Historical note: while the documentation of these issues and many of the
related features were new with Postfix 2.3, the issue was well understood
-before Postfix 1.0, when Lutz Jänicke was designing the first unofficial
+before Postfix 1.0, when Lutz Ja"nicke was designing the first unofficial
Postfix TLS patch. See his original post http://www.imc.org/ietf-apps-tls/mail-
archive/msg00304.html and the first response http://www.imc.org/ietf-apps-tls/
mail-archive/msg00305.html. The problem is not even unique to SMTP or even TLS,
The following steps will get you started quickly. Because you sign your own
Postfix public key certificate, you get TLS encryption but no TLS
authentication. This is sufficient for testing, and for exchanging email with
-sites that you have no trust relationship with. For real authentication, your
-Postfix public key certificate needs to be signed by a recognized Certification
-Authority, and Postfix needs to be configured with a list of public key
-certificates of Certification Authorities, so that Postfix can verify the
-public key certificates of remote hosts.
+sites that you have no trust relationship with. For real authentication you
+need also enable DNSSEC record signing for your domain and publish TLSA records
+and/or your Postfix public key certificate needs to be signed by a recognized
+Certification Authority. To authenticate the certificates of remote host you
+need a DNSSEC-validating local resolver and to enable DANE authentication and/
+or configure the Postfix SMTP client with a list of public key certificates of
+Certification Authorities, but make sure to read about the limitations of the
+latter approach.
In the examples below, user input is shown in b\bbo\bol\bld\bd font, and a "#" prompt
indicates a super-user shell.
+ * Quick-start TLS with Postfix >= 3.1.
+
* Self-signed server certificate.
* Private Certification Authority.
+Q\bQu\bui\bic\bck\bk-\b-s\bst\bta\bar\brt\bt T\bTL\bLS\bS w\bwi\bit\bth\bh P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.1\b1
+
+Postfix 3.1 provides built-in support for enabling TLS in the SMTP client and
+server and for ongoing certificate and DANE TLSA record management.
+
+ * Quick-start TLS in the Postfix >= 3.1 SMTP client.
+
+ * Quick-start TLS in the Postfix >= 3.1 SMTP server.
+
+Q\bQu\bui\bic\bck\bk-\b-s\bst\bta\bar\brt\bt T\bTL\bLS\bS i\bin\bn t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.1\b1 S\bSM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bt.\b.
+
+If you are using Postfix 3.1 or later, and your SMTP client TLS settings are in
+their default state, you can enable opportunistic TLS in the SMTP client as
+follows:
+
+ # postfix tls enable-client
+ # postfix reload
+
+If some of the Postfix SMTP client TLS settings are not in their default state,
+this will not make any changes, but will instead suggest the minimal required
+settings for SMTP client TLS. The "postfix reload" command is optional, it is
+only needed if you want the settings to take effect right away. Note, this does
+not enable trust in any public certification authorities, and does not
+configure client TLS certificates as these are largely pointless with
+opportunistic TLS.
+
+There is not yet a turn-key command for enabling DANE authentication. This is
+because DANE requires changes to your r\bre\bes\bso\bol\blv\bv.\b.c\bco\bon\bnf\bf file and a corresponding
+DNSSEC-validating resolver local to the Postfix host, these changes are
+difficult to automate in a portable way.
+
+If you're willing to revert your settings to the defaults and switch to a
+"stock" opportunistic TLS configuration, then you can: erase all the SMTP
+client TLS settings and then enable client TLS:
+
+ # postconf -X `postconf -nH | egrep '^smtp(_|_enforce_|_use_)tls'`
+ # postfix tls enable-client
+ # postfix reload
+
+Q\bQu\bui\bic\bck\bk-\b-s\bst\bta\bar\brt\bt T\bTL\bLS\bS i\bin\bn t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx >\b>=\b= 3\b3.\b.1\b1 S\bSM\bMT\bTP\bP s\bse\ber\brv\bve\ber\br.\b.
+
+If you are using Postfix 3.1 or later, and your SMTP server TLS settings are in
+their default state, you can enable opportunistic TLS in the SMTP server as
+follows:
+
+ # postfix tls enable-server
+ # postfix reload
+
+If some of the Postfix SMTP client TLS settings are not in their default state,
+this will not make any changes, but will instead suggest the minimal required
+settings for SMTP client TLS. The "postfix reload" command is optional, it is
+only needed if you want the settings to take effect right away. This will
+generate a self-signed private key and certificate and enable TLS in the
+Postfix SMTP server.
+
+If you're willing to revert your settings to the defaults and switch to a
+"stock" server TLS configuration, then you can: erase all the SMTP server TLS
+settings and then enable server TLS:
+
+ # postconf -X `postconf -nH | egrep '^smtpd(_|_enforce_|_use_)tls'`
+ # postfix tls enable-server
+ # postfix reload
+
+Postfix >= 3.1 provides additional built-in support for ongoing management of
+TLS in the SMTP server, via additional "postfix tls" sub-commands. These make
+it easy to generate certificate signing requests, create and deploy new keys
+and certificates, and generate DANE TLSA records. See the postfix-tls(1)
+documentation for details.
+
S\bSe\bel\blf\bf-\b-s\bsi\big\bgn\bne\bed\bd s\bse\ber\brv\bve\ber\br c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be
The following commands (credits: Viktor Dukhovni) generate and install a 2048-
C\bCr\bre\bed\bdi\bit\bts\bs
- * TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus
- Technical University.
+ * TLS support for Postfix was originally developed by Lutz Ja"nicke at
+ Cottbus Technical University.
* Wietse Venema adopted the code, did some restructuring, and compiled this
part of the documentation from Lutz's documents.
* Victor Duchovni was instrumental with the re-implementation of the
#$daemon_directory/postfix-files:f:root:-:644:o
#$daemon_directory/postfix-files.d:d:root:-:755:o
$daemon_directory/postfix-script:f:root:-:755
+$daemon_directory/postfix-tls-script:f:root:-:755
$daemon_directory/postfix-wrapper:f:root:-:755
$daemon_directory/postmulti-script:f:root:-:755
$daemon_directory/postscreen:f:root:-:755
$manpage_directory/man1/postconf.1:f:root:-:644
$manpage_directory/man1/postdrop.1:f:root:-:644
$manpage_directory/man1/postfix.1:f:root:-:644
+$manpage_directory/man1/postfix-tls.1:f:root:-:644
$manpage_directory/man1/postkick.1:f:root:-:644
$manpage_directory/man1/postlock.1:f:root:-:644
$manpage_directory/man1/postlog.1:f:root:-:644
$daemon_directory/post-install "$@"
;;
+tls)
+ shift
+ $daemon_directory/postfix-tls-script "$@"
+ ;;
+
/*)
# Currently not part of the public interface.
"$@"
--- /dev/null
+#!/bin/sh
+
+#++
+# NAME
+# postfix-tls 1
+# SUMMARY
+# Postfix TLS management
+# SYNOPSIS
+# \fBpostfix tls\fR \fIsubcommand\fB ...\fR
+# DESCRIPTION
+# The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature enables
+# opportunistic TLS in the Postfix SMTP client or server, and
+# manages Postfix SMTP server private keys and certificates.
+#
+# The following subcommands are available:
+# .IP "\fBenable-client\fR [\fB-r \fIrandsource\fR]"
+# Enable opportunistic TLS in the Postfix SMTP client, if all
+# SMTP client TLS settings are at their default values.
+# Otherwise, suggest parameter settings without making any
+# changes.
+# .sp
+# Specify \fIrandsource\fR to update the value of the
+# \fBtls_random_source\fR configuration parameter (typically,
+# /dev/urandom). Prepend \fBdev:\fR to device paths or
+# \fBegd:\fR to EGD socket paths.
+# .IP "\fBenable-server\fR [\fB-r \fIrandsource\fR] [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+# Create a new private key and self-signed server certificate
+# and enable opportunistic TLS in the Postfix SMTP server,
+# if all SMTP server TLS settings are at their default values.
+# Otherwise, suggest parameter settings without making any
+# changes.
+# .sp
+# The \fIrandsource\fR parameter is as with \fBenable-client\fR
+# above, and the remaining options are as with \fBnew-server-key\fR
+# below.
+# .IP "\fBnew-server-key\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+# Create a new private key and self-signed server certificate,
+# but do not deploy them. Log and display commands to deploy
+# the new key and corresponding certificate. Also log and
+# display commands to output a corresponding CSR or TLSA
+# records which may be needed to obtain a CA certificate or
+# to update DNS before the new key can be deployed.
+# .sp
+# The \fIalgorithm\fR defaults to \fBrsa\fR, and \fIbits\fR
+# defaults to 2048. If you choose the \fBecdsa\fR \fIalgorithm\fR
+# then \fIbits\fR will be an EC curve name (by default
+# \fBsecp256r1\fR, also known as prime256v1). Curves other
+# than \fBsecp256r1\fR, \fBsecp384r1\fR or \fBsecp521r1\fR
+# are unlikely to be widely interoperable. When generating
+# EC keys, use one of these three. DSA keys are obsolete and
+# are not supported.
+# .sp
+# Note: ECDSA support requires OpenSSL 1.0.0 or later and may
+# not be available on your system. Not all client systems
+# will support ECDSA, so you'll generally want to deploy both
+# RSA and ECDSA certificates to make use of ECDSA with
+# compatible clients and RSA with the rest. If you want to
+# deploy certificate chains with intermediate CAs for both
+# RSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier
+# versions may not handle multiple chain files correctly.
+# .sp
+# The first \fIhostname\fR argument will be the \fBCommonName\fR
+# of both the subject and issuer of the self-signed certificate.
+# It, and any additional \fIhostname\fR arguments, will also
+# be listed as DNS alternative names in the certificate. If
+# no \fIhostname\fR is provided the value of the \fBmyhostname\fR
+# main.cf parameter will be used.
+# .sp
+# For RSA, the generated private key and certificate files
+# are named \fBkey-\fIyyyymmdd-hhmmss\fB.pem\fR and
+# \fBcert-\fIyyyymmdd-hhmmss\fB.pem\fR, where \fIyyyymmdd\fR
+# is the calendar date and \fIhhmmss\fR is the time of day
+# in UTC. For ECDSA, the file names start with \fBeckey-\fR
+# and \fBeccert-\fR instead of \fBkey-\fR and \fBcert-\fR
+# respectively.
+# .sp
+# Before deploying the new key and certificate with DANE,
+# update the DNS with new DANE TLSA records, then wait for
+# secondary nameservers to update and then for stale records
+# in remote DNS caches to expire.
+# .sp
+# Before deploying a new CA certificate make sure to include
+# all the required intermediate issuing CA certificates in
+# the certificate chain file. The server certificate must
+# be the first certificate in the chain file. Overwrite and
+# deploy the file with the original self-signed certificate
+# that was generated together with the key.
+# .IP "\fBnew-server-cert\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+# This is just like \fBnew-server-key\fR except that, rather
+# than generating a new private key, any currently deployed
+# private key is copied to the new key file. Thus if you're
+# publishing DANE TLSA "3 1 1" or "3 1 2" records, there is
+# no need to update DNS records. The \fIalgorithm\fB and
+# \fIbits\fR arguments are used only if no key of the same
+# algorithm is already configured.
+# .sp
+# This command is rarely needed, because the self-signed
+# certificates generated have a 100-year nominal expiration
+# time. The underlying public key algorithms may well be
+# obsoleted by quantum computers long before then.
+# .sp
+# The most plausible reason for using this command is when
+# the system hostname changes, and you'd like the name in the
+# certificate to match the new hostname (not required for
+# DANE "3 1 1", but some needlessly picky non-DANE opportunistic
+# TLS clients may log warnings or even refuse to communicate).
+# .IP "\fBdeploy-server-cert \fIcertfile\fB \fIkeyfile\fR"
+# This subcommand deploys the certificates in \fIcertfile\fR
+# and private key in \fIkeyfile\fR (which are typically
+# generated by the commands above, which will also log and
+# display the full command needed to deploy the generated key
+# and certificate). After the new certificate and key are
+# deployed any obsolete keys and certificates may be removed
+# by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames
+# are relative to the Postfix configuration directory.
+# .IP "\fBoutput-server-csr\fR [\fB-k \fIkeyfile\fR] [\fIhostname\fB
+# ...\fR]"
+# Write to stdout a certificate signing request (CSR) for the
+# specified \fIkeyfile\fR.
+# .sp
+# Instead of a filename, \fIkeyfile\fR may specify one of the
+# supported key algorithm names (see "\fBpostconf -T
+# public-key-algorithms\fR"). In that case, the corresponding
+# setting from main.cf is used to locate the \fIkeyfile\fR.
+# The default \fIkeyfile\fR value is \fBrsa\fR.
+# .sp
+# Zero or more \fIhostname\fR values can be specified. The
+# default \fIhostname\fR is the value of \fBmyhostname\fR
+# main.cf parameter.
+# .IP "\fBoutput-server-tlsa\fR [\fB-h \fIhostname\fR] [\fIkeyfile\fB ...\fR]"
+# Write to stdout a DANE TLSA RRset suitable for a port 25
+# SMTP server on host \fIhostname\fR with keys from any of
+# the specified \fIkeyfile\fR values. The default \fIhostname\fR
+# is the value of the \fBmyhostname\fR main.cf parameter.
+# .sp
+# Instead of filenames, the \fIkeyfile\fR list may specify
+# names of supported public key algorithms (see "\fBpostconf
+# -T public-key-algorithms\fR"). In that case, the actual
+# \fIkeyfile\fR list uses the values of the corresponding
+# Postfix server TLS key file parameters. If a parameter
+# value is empty or equal to \fBnone\fR, then no TLSA record
+# is output for that algorithm.
+# .sp
+# The default \fIkeyfile\fR list consists of the two supported
+# algorithms \fBrsa\fR and \fBecdsa\fR.
+# CONFIGURATION PARAMETERS
+# .ad
+# .fi
+# The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature reads
+# or updates the following configuration parameters.
+# .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
+# The location of all postfix administrative commands.
+# .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
+# The default location of the Postfix main.cf and master.cf
+# configuration files.
+# .IP "\fBopenssl_path (openssl)\fR"
+# The location of the OpenSSL command line program \fBopenssl\fR(1).
+# .IP "\fBsmtp_tls_loglevel (0)\fR"
+# Enable additional Postfix SMTP client logging of TLS activity.
+# .IP "\fBsmtp_tls_security_level (empty)\fR"
+# The default SMTP TLS security level for the Postfix SMTP client;
+# when a non-empty value is specified, this overrides the obsolete
+# parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+# .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
+# Name of the file containing the optional Postfix SMTP client
+# TLS session cache.
+# .IP "\fBsmtpd_tls_cert_file (empty)\fR"
+# File with the Postfix SMTP server RSA certificate in PEM format.
+# .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
+# File with the Postfix SMTP server ECDSA certificate in PEM format.
+# .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
+# File with the Postfix SMTP server ECDSA private key in PEM format.
+# .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
+# File with the Postfix SMTP server RSA private key in PEM format.
+# .IP "\fBsmtpd_tls_loglevel (0)\fR"
+# Enable additional Postfix SMTP server logging of TLS activity.
+# .IP "\fBsmtpd_tls_received_header (no)\fR"
+# Request that the Postfix SMTP server produces Received: message
+# headers that include information about the protocol and cipher used,
+# as well as the remote SMTP client CommonName and client certificate issuer
+# CommonName.
+# .IP "\fBsmtpd_tls_security_level (empty)\fR"
+# The SMTP TLS security level for the Postfix SMTP server; when
+# a non-empty value is specified, this overrides the obsolete parameters
+# smtpd_use_tls and smtpd_enforce_tls.
+# .IP "\fBtls_random_source (see 'postconf -d' output)\fR"
+# The external entropy source for the in-memory \fBtlsmgr\fR(8) pseudo
+# random number generator (PRNG) pool.
+# SEE ALSO
+# master(8) Postfix master program
+# postfix(1) Postfix administrative interface
+# LICENSE
+# .ad
+# .fi
+# The Secure Mailer license must be distributed with this software.
+# HISTORY
+# The "\fBpostfix tls\fR" command was introduced with Postfix
+# version 3.1.
+# AUTHOR(S)
+# Viktor Dukhovni
+#--
+
+RSA_BITS=2048 # default
+EC_CURVE=secp256r1 # default
+
+case $daemon_directory in
+"") echo This script must be run by the postfix command. 1>&2
+ echo Do not run directly. 1>&2
+ exit 1;;
+esac
+
+umask 022
+SHELL=/bin/sh
+
+postconf=$command_directory/postconf
+LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-tls-script"
+INFO="$LOGGER -p info"
+WARN="$LOGGER -p warn"
+ERROR="$LOGGER -p error"
+FATAL="$LOGGER -p fatal"
+
+#
+# Can't do much without these in place.
+#
+cd $command_directory || {
+ # Let's hope there's a "postlog" somewhere else on the PATH
+ FATAL="postlog -p fatal -t $MAIL_LOGTAG/postfix-tls-script"
+ msg="no Postfix command directory '${command_directory}'"
+ $FATAL "$msg" || { echo "$msg" >&2; sleep 1; }
+ exit 1
+}
+
+check_getopt() {
+ OPTIND=1
+ a=
+ b=
+ c=
+ set -- -a 1 -b 2 -c -- -pos
+ while getopts :a:b:c o
+ do
+ case $o in
+ a) a="${OPTARG}";;
+ b) b="${OPTARG}";;
+ c) c=3;;
+ *) return 1;;
+ esac
+ done
+ shift `expr ${OPTIND} - 1`
+ if [ "${a}" != "1" -o "${b}" != 2 -o "${c}" != 3 \
+ -o "${OPTIND}" -ne 7 -o "$1" != "-pos" ]; then
+ return 1
+ fi
+}
+
+check_getopt || {
+ $FATAL "/bin/sh does not implement a compatible 'getopts' built-in"
+ exit 1
+}
+
+# ----- BEGIN OpenSSL-specific -----
+
+# No need to set the location of the OpenSSL command in each Postfix instance,
+# the value from the default instance is used for all instances.
+#
+default_config_directory=`$postconf -dh config_directory`
+openssl=`$postconf -c $default_config_directory -xh openssl_path`
+"$openssl" version >/dev/null 2>&1 || {
+ $FATAL "No working openssl(1) command found with 'openssl_path = $openssl'"
+ exit 1
+}
+
+# ----- END OpenSSL-specific -----
+
+# Make this our *last* "cd", so all the key/cert generation runs in the
+# configuration directory.
+#
+test -n "$config_directory" && cd $config_directory || {
+ $FATAL no Postfix configuration directory $config_directory!
+ exit 1
+}
+
+# Do we support TLS and if so which algorithms?
+#
+$postconf -T compile-version | grep . >/dev/null || {
+ mail_version=`$postconf -dh mail_version`
+ $FATAL "Postfix $mail_version is not compiled with TLS support"
+ exit 1
+}
+rsa=
+ecdsa=
+for _algo in `$postconf -T public-key-algorithms | egrep '^(rsa|ecdsa)$'`
+do
+ eval $_algo=$_algo
+done
+
+# ----- BEGIN OpenSSL-specific -----
+
+if [ -n "${ecdsa}" ]; then
+ $openssl ecparam -name secp256r1 >/dev/null 2>&1 || {
+ cat <<-EOM | $WARN
+ Postfix supports ECDSA, but the $openssl command does not. Consider
+ setting the openssl_path parameter to a more capable version of the
+ command-line utility than $openssl (with PATH=$PATH).
+ EOM
+ ecdsa=
+ }
+fi
+if [ -n "${rsa}" ]; then
+ DEFALG=rsa
+elif [ -n "${ecdsa}" ]; then
+ DEFALG=ecdsa
+else
+ mail_version=`$postconf -dh mail_version`
+ $FATAL "Postfix $mail_version does not support either RSA or ECDSA"
+ exit 1
+fi
+
+# Make sure stdin is open when testing
+if [ -r /dev/stdin ] < /dev/null; then
+ stdin=/dev/stdin
+elif [ -r /dev/fd/0 ] </dev/null; then
+ stdin=/dev/fd/0
+else
+ $FATAL No /dev/fd/0 or /dev/stdin found
+ exit 1
+fi
+
+hex_sha256() {
+ $openssl dgst -binary -sha256 | od -An -vtx1 | tr -d ' \012'
+}
+
+# We require SHA2-256 support from openssl(1)
+#
+null256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+tmp=`hex_sha256 </dev/null 2>/dev/null`
+if [ "${tmp}" != "${null256}" ]; then
+ cat <<EOF >&2
+Your $openssl does not support the SHA2-256 digest algorithm. To enable
+'postfix tls', install an OpenSSL that does. Install its openssl(1) command
+at /usr/local/bin/openssl or other suitable location, and set the
+'openssl_path' parameter in $default_config_directory/main.cf accordingly.
+EOF
+ $FATAL "No 'postfix tls' support when openssl(1) is obsolete"
+ exit 1
+fi
+
+read_key() {
+ [ -n "$1" -a -f "$1" ] || return 1
+
+ # Old OpenSSL versions return success even for unsupported sub-commands!
+ # So we inspect the output instead. Don't prompt if the key is password
+ # protected.
+ #
+ while read cmd key_algo key_param cert_param; do
+ $openssl $cmd -passin "pass:umask 077" -in "$1" |
+ grep . && return 0
+ done 2>/dev/null <<-EOF
+ rsa rsa smtpd_tls_key_file smtpd_tls_cert_file
+ ec ecdsa smtpd_tls_eckey_file smtpd_tls_eccert_file
+ EOF
+ return 1
+}
+
+pubkey_dgst() {
+ [ -n "$1" -a -f "$1" ] || return 1
+
+ # Old OpenSSL versions return success even for unsupported sub-commands!
+ # So we inspect the output instead.
+ #
+ for cmd in ec rsa; do
+ $openssl $cmd -passin "pass:umask 077" -in "$1" -pubout |
+ $openssl $cmd -pubin -outform DER |
+ hex_sha256 | egrep -v "${null256}" && return 0
+ done 2>/dev/null
+ return 1
+}
+
+cert_pubkey_dgst() {
+ [ -n "$1" -a -f "$1" ] || return 1
+
+ # Old OpenSSL versions return success even for unsupported sub-commands!
+ # So we inspect the output instead.
+ #
+ for cmd in ec rsa; do
+ $openssl x509 -pubkey -noout -in "$1" |
+ $openssl $cmd -pubin -outform DER |
+ hex_sha256 | egrep -v "${null256}" && return 0
+ done 2>/dev/null
+ return 1
+}
+
+copy_key() {
+ _algo=$1; shift
+ _bits=$1; shift
+ _fold=$1; shift
+ _fnew=$1; shift
+ _umask=`umask`
+
+ umask 077
+ read_key "${_fold}" > "${_fnew}" # sets key_algo of current key
+ _ret=$?
+ umask "${_umask}"
+
+ if [ "${_ret}" -ne 0 ]; then
+ $FATAL "Error copying private key from '${_fold}' to '${_fnew}'"
+ return 1
+ fi
+ if [ "${key_algo}" != "${_algo}" ]; then
+ $FATAL "Key algorithm '$key_algo' of '${_fold}' is not '${_algo}'"
+ return 1
+ fi
+ # XXX: We'd need C-code in postconf to portably check for compatible "bits"
+}
+
+create_key() {
+ _algo=$1
+ _bits=$2
+ _fnew=$3
+ _umask=`umask`
+
+ case $_algo in
+ "") $FATAL "Internal error: empty algorithm"; return 1;;
+ $rsa) set -- "${openssl}" genrsa -out "${_fnew}" "${_bits}";;
+ $ecdsa) set -- "${openssl}" ecparam -param_enc named_curve -genkey \
+ -out "${_fnew}" -name "${_bits}";;
+ *) $FATAL "Internal error: bad algorithm '${_algo}'"
+ return 1;;
+ esac
+
+ umask 077
+ _err=`"$@" 2>&1`
+ _ret=$?
+ umask "${_umask}"
+
+ if [ "${_ret}" -ne 0 ]; then
+ echo "${_err}" | $WARN
+ $FATAL "error generating new ${_algo} ${_bits} private key"
+ return 1
+ fi
+}
+
+create_cert() {
+ _k=$1; shift
+ _c=$1; shift
+ set_fqdn "$1"
+ if [ $# -gt 0 ]; then shift; fi
+ set -- "$fqdn" "$@"
+
+ if [ -r "${_c}" ]; then
+ $FATAL "New certificate file already exists: ${_c}"
+ return 1
+ fi
+
+ # Generate a new self-signed (~100 year) certificate
+ #
+ (
+ echo "default_md = sha256"
+ echo "x509_extensions = v3"
+ echo "prompt = yes"
+ echo "distinguished_name = dn"
+ echo "[dn]"
+ echo "[v3]"
+ echo "basicConstraints = CA:false"
+ echo "subjectKeyIdentifier = hash"
+ echo "extendedKeyUsage = serverAuth, clientAuth"
+ echo "subjectAltName = @alts"
+ echo "[alts]"
+ i=1; for dns in "$@"; do
+ # XXX map empty to $myhostname
+ echo "DNS.$i = $dns"
+ i=`expr $i + 1`
+ done
+ ) | $openssl req -x509 -config $stdin -new -key "${_k}" \
+ -subj "/CN=$fqdn" -days 36525 -out "${_c}" || {
+ rm -f "${_c}" "${_k}"
+ $FATAL "error generating self-signed SSL certificate"
+ return 1
+ }
+}
+
+output_server_csr() {
+ set_keyfile "$1" || return 1
+ shift
+ set_fqdn "$1" || return 1
+ shift
+ set -- "$fqdn" "$@"
+ (
+ echo "default_md = sha256"
+ echo "req_extensions = v3"
+ echo "prompt = yes"
+ echo "distinguished_name = dn"
+ echo "[dn]"
+ echo "[v3]"
+ echo "subjectKeyIdentifier = hash"
+ echo "extendedKeyUsage = serverAuth, clientAuth"
+ echo "subjectAltName = @alts"
+ echo "[alts]"
+ i=1; for dns in "$@"; do
+ echo "DNS.$i = $dns"
+ i=`expr $i + 1`
+ done
+ ) | $openssl req -config $stdin -new -key "$keyfile" -subj /
+}
+
+# ----- END OpenSSL-specific -----
+
+info_enable_client() {
+ cat <<-EOM
+ *** Non-default SMTP client TLS settings detected, no changes made.
+ For opportunistic TLS in the Postfix SMTP client, the below settings
+ are typical:
+ smtp_tls_security_level = may
+ smtp_tls_loglevel = 1
+ EOM
+ if get_cache_db_type dbtype
+ then
+ echo " smtp_tls_session_cache_database = ${dbtype}:\${data_directory}/smtp_scache"
+ fi
+}
+
+info_client_deployed() {
+ cat <<-EOM
+ Enabled opportunistic TLS in the Postfix SMTP client, run:
+ # postfix reload
+ if you want the new settings to take effect immediately.
+ EOM
+}
+
+info_enable_server() {
+ cat <<-EOM
+ *** Non-default SMTP server TLS settings detected, no changes made.
+ For opportunistic TLS in the Postfix SMTP server, the below settings
+ are typical:
+ smtpd_tls_security_level = may
+ smtpd_tls_loglevel = 1
+ You can use "postfix tls new-server-cert" to create a new certificate.
+ Or, "postfix tls new-server-key" to also force a new private key.
+ If you publish DANE TLSA records, see:
+ https://tools.ietf.org/html/rfc7671#section-8
+ https://tools.ietf.org/html/rfc7671#section-5.1
+ https://tools.ietf.org/html/rfc7671#section-5.2
+ https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_created() {
+ cat <<-EOM
+ New private key and self-signed certificate created. To deploy run:
+ # postfix tls deploy-server-cert $1 $2
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_server_deployed() {
+ if [ "$3" = "enable" ]; then
+ echo "Enabled opportunistic TLS in the Postfix SMTP server"
+ fi
+ cat <<-EOM
+ New TLS private key and certificate deployed, run:
+ # postfix reload
+ if you want the new settings to take effect immediately.
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_csr() {
+ cat <<-EOM
+ To generate a CSR run:
+ # postfix tls output-server-csr -k $2 [<hostname> ...]
+ EOM
+ if [ -z "$3" ]; then
+ echo "Save the signed certificate chain in ${config_directory}/$1, and deploy as above."
+ else
+ echo "Save the signed certificate chain in ${config_directory}/$1."
+ fi
+}
+
+# args: certfile keyfile deploy
+info_tlsa() {
+ # If already deployed, info for how to show all the deployed keys.
+ # Otherwise, just the new keys, so that TLSA records can be updated
+ # first.
+ if [ -n "$3" ]; then shift $#; fi
+ cat <<-EOM
+ To generate TLSA records run:
+ # postfix tls output-server-tlsa [-h <hostname>] $2
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_dane_dns() {
+ # If already deployed, too late to wait, otherwise advise updating TLSA
+ # RRs before deployment.
+ if [ -n "$3" ]; then
+ cat <<-EOM
+ (If you have DANE TLSA RRs, update them as soon as possible to match
+ the newly deployed keys).
+ EOM
+ else
+ cat <<-EOM
+ (deploy after updating the DNS and waiting for stale RRs to expire).
+ EOM
+ fi
+}
+
+set_fqdn() {
+ if [ -n "$1" ]; then fqdn=$1; return 0; fi
+ fqdn=`$postconf -xh myhostname` || return 1
+ case $fqdn in /*) fqdn=`cat "${fqdn}"` || return 1;; esac
+}
+
+set_keyfile() {
+ keyfile=$1
+ case $keyfile in
+ "") : empty ok;;
+ $rsa) keyfile=`$postconf -nxh smtpd_tls_key_file`;;
+ $ecdsa) keyfile=`$postconf -nxh smtpd_tls_eckey_file`;;
+ esac
+ if [ "${keyfile}" = "none" ]; then keyfile= ; fi
+}
+
+check_key() {
+ read_key "$1" >/dev/null && return 0
+ $FATAL "no private key found in file: $1"
+ return 1
+}
+
+# Create new key or copy existing if specified.
+#
+ensure_key() {
+ _algo=$1; shift
+ _bits=$1; shift
+ stamp=`TZ=UTC date +%Y%m%d-%H%M%S`
+
+ case $_algo in
+ "") $FATAL "Internal error: empty algorithm "; return 1;;
+ $rsa) keyfile="key-${stamp}.pem"; certfile="cert-${stamp}.pem";;
+ $ecdsa) keyfile="eckey-${stamp}.pem"; certfile="eccert-${stamp}.pem";;
+ *) $FATAL "Internal error: bad algorithm '${_algo}'"
+ return 1;;
+ esac
+
+ if [ -r "${keyfile}" ]; then
+ $FATAL "New private key file already exists: ${keyfile}"
+ return 1
+ fi
+ if [ -r "${certfile}" ]; then
+ $FATAL "New certificate file already exists: ${certfile}"
+ return 1
+ fi
+
+ if [ -n "$1" ]; then
+ copy_key "${_algo}" "${_bits}" "$1" "${keyfile}" && return 0
+ else
+ create_key "${_algo}" "${_bits}" "${keyfile}" && return 0
+ fi
+ rm -f "${keyfile}"
+ return 1
+}
+
+init_random_source() {
+ tls_random_source=$1
+
+ if [ -z "${tls_random_source}" ]; then
+ tls_random_source=`$postconf -xh tls_random_source`
+ fi
+ if [ -n "${tls_random_source}" ]; then
+ return 0
+ fi
+ if [ -r /dev/urandom ]
+ then
+ tls_random_source=dev:/dev/urandom
+ else
+ $FATAL no default TLS random source defined and no /dev/urandom
+ return 1
+ fi
+}
+
+all_default() {
+ prefix=$1; shift
+ for var in "$@"
+ do
+ val=`$postconf -nh "${prefix}${var}"`
+ if [ -n "$val" ]; then return 1; fi
+ done
+ return 0
+}
+
+# Select read-write database type for TLS session caches.
+#
+get_cache_db_type() {
+ var=$1; shift
+ prio=0
+ ret=1
+ for _dbtype in `$postconf -m`
+ do
+ _prio=0
+ case $_dbtype in
+ lmdb) _prio=2;;
+ btree) _prio=1;;
+ esac
+ if [ "$_prio" -gt "$prio" ]
+ then
+ eval "$var=\$_dbtype"
+ prio=$_prio
+ ret=0
+ fi
+ done
+ return $ret
+}
+
+deploy_server_cert() {
+ certfile=$1; shift
+ keyfile=$1; shift
+ deploy=$1; shift
+
+ # Sets key_algo, key_param and cert_param
+ check_key "$keyfile" || return 1
+
+ cd=`cert_pubkey_dgst "${certfile}"` || {
+ $FATAL "error computing certificate public key digest"
+ return 1
+ }
+ kd=`pubkey_dgst "$keyfile"` || {
+ $FATAL "error computing public key digest"
+ return 1
+ }
+
+ if [ "$cd" != "$kd" ]; then
+ $FATAL "Certificate in ${certfile} does not match key in ${keyfile}"
+ return 1
+ fi
+
+ set -- \
+ "${key_param} = ${keyfile}" \
+ "${cert_param} = ${certfile}"
+
+ if [ "${deploy}" = "enable" ]; then
+ set -- "$@" \
+ "smtpd_tls_security_level = may" \
+ "smtpd_tls_received_header = yes" \
+ "smtpd_tls_loglevel = 1"
+ fi
+
+ if [ -n "${tls_random_source}" ]; then
+ set -- "$@" "tls_random_source = ${tls_random_source}"
+ fi
+
+ # All in one shot, since postconf delays modifying "hot" main.cf files.
+ $postconf -e "$@" || return 1
+}
+
+# Prepare a new cert and perhaps re-use any existing private key.
+#
+new_server_cert() {
+ algo=$1; shift
+ bits=$1; shift
+ oldkey=$1; shift
+ deploy=$1; shift
+
+ # resets keyfile (copy or else new) and new certfile
+ ensure_key "$algo" "$bits" "${oldkey}" || return 1
+ create_cert "${keyfile}" "${certfile}" "$@" || return 1
+ if [ -n "${deploy}" ]; then
+ deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 1
+ fi
+
+ (
+ if [ -z "${deploy}" ]; then
+ info_created "${certfile}" "${keyfile}" "${deploy}"
+ else
+ info_server_deployed "${certfile}" "${keyfile}" "${deploy}"
+ fi
+ info_csr "${certfile}" "${keyfile}" "${deploy}"
+ info_tlsa "${certfile}" "${keyfile}" "${deploy}"
+ if [ -z "${oldkey}" ]; then
+ info_dane_dns "${certfile}" "${keyfile}" "${deploy}"
+ fi
+ ) | $INFO
+}
+
+enable_client() {
+ if all_default smtp_ \
+ use_tls enforce_tls tls_enforce_peername tls_security_level tls_cert_file
+ then
+ set -- \
+ "smtp_tls_security_level = may" \
+ "smtp_tls_loglevel = 1"
+
+ if get_cache_db_type dbtype
+ then
+ set -- "$@" \
+ "smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
+ fi
+
+ if [ -n "${tls_random_source}" ]; then
+ set -- "$@" "tls_random_source = ${tls_random_source}"
+ fi
+
+ # All in one shot, since postconf delays modifying "hot" main.cf files.
+ $postconf -e "$@" || return 1
+ info_client_deployed
+ else
+ info_enable_client
+ fi | $INFO
+}
+
+enable_server() {
+ algo=$1; shift
+ bits=$1; shift
+
+ if all_default smtpd_ \
+ use_tls enforce_tls tls_security_level tls_cert_file
+ then
+ # algo bits keyfile deploy [hostnames ...]
+ new_server_cert "${algo}" "${bits}" "" "enable" "$@" || return 1
+ else
+ info_enable_server | $INFO
+ fi
+}
+
+output_server_tlsa() {
+ hostname=$1
+ check_key "$2" || return 1
+ data=`pubkey_dgst "$2"` || return 1
+ if [ -z "$data" ]
+ then
+ $FATAL error computing SHA2-256 SPKI digest of "$key"
+ return 1
+ fi
+ echo "_25._tcp.$hostname. IN TLSA 3 1 1 $data"
+}
+
+#
+# Parse JCL
+#
+case $1 in
+enable-client)
+ cmd=$1; shift; OPTIND=1
+ rand=
+ while getopts :r: _opt
+ do
+ case $_opt in
+ r) rand="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-r devrandom]"
+ exit 1;;
+ esac
+ done
+
+ # No positional arguments supported with enable-client
+ if [ $# -ge "${OPTIND}" ]; then
+ $FATAL "usage: postfix tls $cmd [-r devrandom]"
+ exit 1
+ fi
+ # But, shift anyway
+ shift `expr $OPTIND - 1`
+
+ init_random_source "${rand}" || exit 1
+ enable_client || exit 1
+ ;;
+
+enable-server)
+ cmd=$1; shift; OPTIND=1
+ algo=$DEFALG
+ bits=
+ rand=
+ while getopts :a:b:r: _opt
+ do
+ case $_opt in
+ a) algo="${OPTARG}";;
+ b) bits="${OPTARG}";;
+ r) rand="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [-r devrandom] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ case $algo in
+ "") $FATAL "Internal error: empty algorithm "; return 1;;
+ $rsa) : ${bits:=${RSA_BITS}};;
+ $ecdsa) : ${bits:=${EC_CURVE}};;
+ *) $FATAL "Unsupported private key algorithm: $algo"
+ exit 1;;
+ esac
+
+ init_random_source "${rand}" || exit 1
+ enable_server "${algo}" "${bits}" "$@" || exit 1
+ ;;
+
+new-server-key)
+ cmd=$1; shift; OPTIND=1
+ algo=$DEFALG
+ while getopts :a:b: _opt
+ do
+ case $_opt in
+ a) algo="${OPTARG}";;
+ b) bits="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ case $algo in
+ "") $FATAL "Internal error: empty algorithm "; return 1;;
+ $rsa) : ${bits:=${RSA_BITS}};;
+ $ecdsa) : ${bits:=${EC_CURVE}};;
+ *) $FATAL "Unsupported public key algorithm: $algo"
+ exit 1;;
+ esac
+
+ # Force new key
+ new_server_cert "${algo}" "${bits}" "" "" "$@" || exit 1
+ ;;
+
+new-server-cert)
+ cmd=$1; shift; OPTIND=1
+ algo=$DEFALG
+ while getopts :a:b: _opt
+ do
+ case $_opt in
+ a) algo="${OPTARG}";;
+ b) bits="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ case $algo in
+ "") $FATAL "Invalid empty key algorithm"; exit 1;;
+ $rsa) : ${bits:=${RSA_BITS}};;
+ $ecdsa) : ${bits:=${EC_CURVE}};;
+ *) $FATAL "Unsupported private key algorithm: $algo"
+ exit 1;;
+ esac
+
+ # Existing keyfile or empty
+ set_keyfile "${algo}"
+
+ # Try to re-use (copy) existing key.
+ new_server_cert "${algo}" "${bits}" "${keyfile}" "" "$@" || exit 1
+ ;;
+
+deploy-server-cert)
+ if [ $# -ne 3 ]; then
+ $FATAL "usage: postfix tls $1 certfile keyfile"
+ exit 1
+ fi
+ shift
+ deploy_server_cert "$@" || exit 1
+ info_server_deployed "$1" "$2" "deploy" | $INFO
+ ;;
+
+output-server-csr)
+ cmd=$1; shift; OPTIND=1
+ k=
+ while getopts :k: _opt
+ do
+ case $_opt in
+ k) k="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-k keyfile] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ if [ -n "${k}" ]; then
+ set_keyfile "${k}"
+ else
+ for _algo in $rsa $ecdsa
+ do
+ set_keyfile "${_algo}"
+ if [ -n "${keyfile}" ]; then
+ break
+ fi
+ done
+ fi
+
+ if [ -z "${keyfile}" -o ! -r "${keyfile}" ]; then
+ $FATAL "No usable keyfile specified or configured"
+ exit 1
+ fi
+
+ # Default <hostname> from $myhostname
+ if [ $# -eq 0 ]; then
+ set_fqdn
+ set -- "$fqdn"
+ fi
+
+ # Output a CSR for the requested names
+ output_server_csr "$keyfile" "$@" || exit 1
+ ;;
+
+output-server-tlsa)
+ cmd=$1; shift; OPTIND=1
+ hostname=
+ while getopts :h: _opt
+ do
+ case $_opt in
+ h) hostname="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-h hostname] [keyfile ...]"
+ exit 1;;
+ esac
+ done
+ set_fqdn "${hostname}"
+
+ # Here positional arguments are keyfiles for which we ouput "3 1 1"
+ # TLSA RRs, as many keyfiles as the user wants. By default the live
+ # RSA and/or ECDSA keys.
+ shift `expr $OPTIND - 1`
+
+ if [ $# -eq 0 ]; then set -- $rsa $ecdsa; fi
+
+ found=
+ for _k in "$@"
+ do
+ set_keyfile "${_k}"
+ if [ -z "${keyfile}" ]; then continue; fi
+ echo "; ${keyfile}"
+ output_server_tlsa "${fqdn}" "${keyfile}" || exit 1
+ found=1
+ done
+ if [ -z "${found}" ]; then
+ $FATAL "No usable keyfiles specified or configured"
+ exit 1
+ fi
+ ;;
+
+*)
+ $ERROR "unknown tls command: '$1'"
+ $FATAL "usage: postfix tls enable-client (or enable-server, new-server-key, new-server-cert, deploy-server-cert, output-server-csr, output-server-tlsa)"
+ exit 1
+ ;;
+
+esac
<tr> <td><a href="postconf.5.html#newaliases_path">newaliases_path</a></td> <td>/usr/bin/newaliases</td> </tr>
+<tr> <td>openssl_path</td> <td>openssl</td> </tr>
+
<tr> <td><a href="postconf.5.html#queue_directory">queue_directory</a></td> <td>/var/spool/postfix</td> </tr>
<tr> <td><a href="postconf.5.html#readme_directory">readme_directory</a></td> <td>no</td> </tr>
postqueue.1.html postsuper.1.html sendmail.1.html \
smtp-source.1.html smtp-sink.1.html posttls-finger.1.html \
qmqp-source.1.html qmqp-sink.1.html \
- qshape.1.html
+ qshape.1.html postfix-tls.1.html
CONFIG = access.5.html aliases.5.html canonical.5.html relocated.5.html \
transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \
cidr_table.5.html tcp_table.5.html header_checks.5.html \
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
+postfix-tls.1.html: ../conf/postfix-tls-script
+ PATH=../mantools:$$PATH; \
+ srctoman - $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
+
postkick.1.html: ../src/postkick/postkick.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
sign your own Postfix public key certificate, you get TLS encryption
but no TLS authentication. This is sufficient for testing, and
for exchanging email with sites that you have no trust relationship
-with. For real authentication, your Postfix public key certificate
-needs to be signed by a recognized Certification Authority, and
-Postfix needs to be configured with a list of public key certificates
-of Certification Authorities, so that Postfix can verify the public key
-certificates of remote hosts. </p>
+with. For real authentication you need also enable DNSSEC record
+signing for your domain and publish TLSA records and/or your Postfix
+public key certificate needs to be signed by a recognized Certification
+Authority. To authenticate the certificates of remote host you
+need a DNSSEC-validating local resolver and to enable <a
+href="#client_tls_dane">DANE</a> authentication and/or configure
+the Postfix SMTP client with a list of public key certificates of
+Certification Authorities, but make sure to read about the <a
+href="#client_tls_limits">limitations</a> of the latter approach.
+</p>
<p> In the examples below, user input is shown in <b><tt>bold</tt></b>
font, and a "<tt>#</tt>" prompt indicates a super-user shell. </p>
<ul>
-<li> <p> <a name="#self-signed">Self-signed server certificate</a>.</p>
+<li> <p> <a href="#built-in">Quick-start TLS with Postfix ≥ 3.1</a>.</p>
+
+<li> <p> <a href="#self-signed">Self-signed server certificate</a>.</p>
+
+<li> <p> <a href="#private-ca">Private Certification Authority</a>. </p>
+
+</ul>
+
+<h3><a name="built-in">Quick-start TLS with Postfix ≥ 3.1</a></h3>
-<li> <p> <a name="#private-ca">Private Certification Authority</a>. </p>
+<p> Postfix 3.1 provides built-in support for enabling TLS in the
+SMTP client and server and for ongoing certificate and DANE TLSA
+record management.
+<ul>
+<li> <p> <a href="#quick-client">Quick-start TLS in the Postfix ≥ 3.1 SMTP client</a>. </p>
+<li> <p> <a href="#quick-server">Quick-start TLS in the Postfix ≥ 3.1 SMTP server</a>. </p>
</ul>
+<h4> <a name="quick-client">Quick-start TLS in the Postfix ≥ 3.1 SMTP client</a>. </h4>
+
+<p> If you are using Postfix 3.1 or later, and your SMTP client TLS
+settings are in their default state, you can enable <a
+href="#client_tls_may">opportunistic</a> TLS in the SMTP client as
+follows: </p>
+
+<blockquote>
+<pre>
+# postfix tls enable-client
+# postfix reload
+</pre>
+</blockquote>
+
+<p> If some of the Postfix SMTP client TLS settings are not in their
+default state, this will not make any changes, but will instead
+suggest the minimal required settings for SMTP client TLS. The
+"postfix reload" command is optional, it is only needed if you want
+the settings to take effect right away. Note, this does not enable
+trust in any public certification authorities, and does not configure
+client TLS certificates as these are largely pointless with <a
+href="#client_tls_may">opportunistic</a> TLS. </p>
+
+<p> There is not yet a turn-key command for enabling <a
+href="#client_tls_dane">DANE</a> authentication. This is because
+DANE requires changes to your <b>resolv.conf</b> file and a
+corresponding DNSSEC-validating resolver local to the Postfix host,
+these changes are difficult to automate in a portable way. </p>
+
+<p> If you're willing to revert your settings to the defaults and
+switch to a "stock" opportunistic TLS configuration, then you can:
+erase all the SMTP client TLS settings and then enable client TLS: </p>
+
+<blockquote>
+<pre>
+# postconf -X `postconf -nH | egrep '^smtp(_|_enforce_|_use_)tls'`
+# postfix tls enable-client
+# postfix reload
+</pre>
+</blockquote>
+
+<h4><a name="quick-server">Quick-start TLS in the Postfix ≥ 3.1 SMTP server</a>.</h4>
+
+<p> If you are using Postfix 3.1 or later, and your SMTP server TLS
+settings are in their default state, you can enable
+opportunistic TLS in the SMTP server as follows: </p>
+
+<blockquote>
+<pre>
+# postfix tls enable-server
+# postfix reload
+</pre>
+</blockquote>
+
+<p> If some of the Postfix SMTP client TLS settings are not in their
+default state, this will not make any changes, but will instead
+suggest the minimal required settings for SMTP client TLS. The
+"postfix reload" command is optional, it is only needed if you want
+the settings to take effect right away. This will generate a
+self-signed private key and certificate and enable TLS in the Postfix
+SMTP server. </p>
+
+<p> If you're willing to revert your settings to the defaults and
+switch to a "stock" server TLS configuration, then you can: erase
+all the SMTP server TLS settings and then enable server TLS: </p>
+
+<blockquote>
+<pre>
+# postconf -X `postconf -nH | egrep '^smtpd(_|_enforce_|_use_)tls'`
+# postfix tls enable-server
+# postfix reload
+</pre>
+</blockquote>
+
+<p> Postfix ≥ 3.1 provides additional built-in support for ongoing
+management of TLS in the SMTP server, via additional "postfix tls"
+sub-commands. These make it easy to generate certificate signing
+requests, create and deploy new keys and certificates, and generate
+DANE TLSA records. See the <a href="postfix-tls.1.html">postfix-tls(1)</a> documentation for details.
+</p>
+
<h3><a name="self-signed">Self-signed server certificate</a></h3>
<p> The following commands (credits: Viktor Dukhovni) generate and
<b>postconf -t</b> [<b>-v</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>template</i><b>_</b><i>file</i>]
+ <b>Managing TLS features:</b>
+
+ <b>postconf</b> [<b>-v</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] <b>-T</b> <i>mode</i>
+
<b>Managing other configuration:</b>
<b>postconf -a</b>|<b>-A</b>|<b>-l</b>|<b>-m</b> [<b>-v</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>]
This feature is available with Postfix 2.3 and later.
+ <b>-T</b> <i>mode</i>
+ If Postfix is compiled without TLS support, the <b>-T</b> option pro-
+ duces no output. Otherwise, if an invalid <i>mode</i> is specified,
+ the <b>-T</b> option reports an error and exits with a non-zero status
+ code. The valid modes are:
+
+ <b>compile-version</b>
+ Output the OpenSSL version that Postfix was compiled with
+ (i.e. the OpenSSL version in a header file). The output
+ format is the same as with the command "<b>openssl version</b>".
+
+ <b>run-version</b>
+ Output the OpenSSL version that Postfix is linked with at
+ runtime (i.e. the OpenSSL version in a shared library).
+
+ <b>public-key-algorithms</b>
+ Output the lower-case names of the supported public-key
+ algorithms, one per-line.
+
+ This feature is available with Postfix 3.1 and later.
+
<b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b>
options make the software increasingly verbose.
<p> This feature is available in Postfix 3.0 and later. </p>
+</DD>
+
+<DT><b><a name="openssl_path">openssl_path</a>
+(default: openssl)</b></DT><DD>
+
+<p>
+The location of the OpenSSL command line program openssl(1). This
+is used by the "<b>postfix tls</b>" command to create private keys,
+certificate signing requests, self-signed certificates, and to
+compute public key digests for DANE TLSA records. In multi-instance
+environments, this parameter is always determined from the configuration
+of the default Postfix instance.
+</p>
+
+<p> Example: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ # NetBSD pkgsrc:
+ <a href="postconf.5.html#openssl_path">openssl_path</a> = /usr/pkg/bin/openssl
+ # Local build:
+ <a href="postconf.5.html#openssl_path">openssl_path</a> = /usr/local/bin/openssl
+</pre>
+</blockquote>
+
+<p>
+This feature is available in Postfix 3.1 and later.
+</p>
+
+
</DD>
<DT><b><a name="owner_request_special">owner_request_special</a>
<li> <a href="postfix.1.html">postfix(1)</a>, Postfix control program
+<li> <a href="postfix-tls.1.html">postfix-tls(1)</a>, Postfix TLS management
+
<li> <a href="postkick.1.html">postkick(1)</a>, trigger Postfix daemon
<li> <a href="postlock.1.html">postlock(1)</a>, Postfix-compatible locking
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+<html> <head>
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+<title> Postfix manual - postfix-tls(1) </title>
+</head> <body> <pre>
+POSTFIX-TLS(1) POSTFIX-TLS(1)
+
+<b>NAME</b>
+ postfix-tls - Postfix TLS management
+
+<b>SYNOPSIS</b>
+ <b>postfix tls</b> <i>subcommand</i> <b>...</b>
+
+<b>DESCRIPTION</b>
+ The "<b>postfix tls</b> <i>subcommand</i> <b>...</b>" feature enables opportunistic TLS in
+ the Postfix SMTP client or server, and manages Postfix SMTP server pri-
+ vate keys and certificates.
+
+ The following subcommands are available:
+
+ <b>enable-client</b> [<b>-r</b> <i>randsource</i>]
+ Enable opportunistic TLS in the Postfix SMTP client, if all SMTP
+ client TLS settings are at their default values. Otherwise,
+ suggest parameter settings without making any changes.
+
+ Specify <i>randsource</i> to update the value of the <b><a href="postconf.5.html#tls_random_source">tls_random_source</a></b>
+ configuration parameter (typically, /dev/urandom). Prepend <b>dev:</b>
+ to device paths or <b>egd:</b> to EGD socket paths.
+
+ <b>enable-server</b> [<b>-r</b> <i>randsource</i>] [<b>-a</b> <i>algorithm</i>] [<b>-b</b> <i>bits</i>] [<i>hostname</i> <b>...</b>]
+ Create a new private key and self-signed server certificate and
+ enable opportunistic TLS in the Postfix SMTP server, if all SMTP
+ server TLS settings are at their default values. Otherwise,
+ suggest parameter settings without making any changes.
+
+ The <i>randsource</i> parameter is as with <b>enable-client</b> above, and the
+ remaining options are as with <b>new-server-key</b> below.
+
+ <b>new-server-key</b> [<b>-a</b> <i>algorithm</i>] [<b>-b</b> <i>bits</i>] [<i>hostname</i> <b>...</b>]
+ Create a new private key and self-signed server certificate, but
+ do not deploy them. Log and display commands to deploy the new
+ key and corresponding certificate. Also log and display com-
+ mands to output a corresponding CSR or TLSA records which may be
+ needed to obtain a CA certificate or to update DNS before the
+ new key can be deployed.
+
+ The <i>algorithm</i> defaults to <b>rsa</b>, and <i>bits</i> defaults to 2048. If
+ you choose the <b>ecdsa</b> <i>algorithm</i> then <i>bits</i> will be an EC curve
+ name (by default <b>secp256r1</b>, also known as prime256v1). Curves
+ other than <b>secp256r1</b>, <b>secp384r1</b> or <b>secp521r1</b> are unlikely to be
+ widely interoperable. When generating EC keys, use one of these
+ three. DSA keys are obsolete and are not supported.
+
+ Note: ECDSA support requires OpenSSL 1.0.0 or later and may not
+ be available on your system. Not all client systems will sup-
+ port ECDSA, so you'll generally want to deploy both RSA and
+ ECDSA certificates to make use of ECDSA with compatible clients
+ and RSA with the rest. If you want to deploy certificate chains
+ with intermediate CAs for both RSA and ECDSA, you'll want at
+ least OpenSSL 1.0.2, as earlier versions may not handle multiple
+ chain files correctly.
+
+ The first <i>hostname</i> argument will be the <b>CommonName</b> of both the
+ subject and issuer of the self-signed certificate. It, and any
+ additional <i>hostname</i> arguments, will also be listed as DNS alter-
+ native names in the certificate. If no <i>hostname</i> is provided the
+ value of the <b><a href="postconf.5.html#myhostname">myhostname</a></b> <a href="postconf.5.html">main.cf</a> parameter will be used.
+
+ For RSA, the generated private key and certificate files are
+ named <b>key-</b><i>yyyymmdd-hhmmss</i><b>.pem</b> and <b>cert-</b><i>yyyymmdd-hhmmss</i><b>.pem</b>,
+ where <i>yyyymmdd</i> is the calendar date and <i>hhmmss</i> is the time of
+ day in UTC. For ECDSA, the file names start with <b>eckey-</b> and
+ <b>eccert-</b> instead of <b>key-</b> and <b>cert-</b> respectively.
+
+ Before deploying the new key and certificate with DANE, update
+ the DNS with new DANE TLSA records, then wait for secondary
+ nameservers to update and then for stale records in remote DNS
+ caches to expire.
+
+ Before deploying a new CA certificate make sure to include all
+ the required intermediate issuing CA certificates in the cer-
+ tificate chain file. The server certificate must be the first
+ certificate in the chain file. Overwrite and deploy the file
+ with the original self-signed certificate that was generated
+ together with the key.
+
+ <b>new-server-cert</b> [<b>-a</b> <i>algorithm</i>] [<b>-b</b> <i>bits</i>] [<i>hostname</i> <b>...</b>]
+ This is just like <b>new-server-key</b> except that, rather than gener-
+ ating a new private key, any currently deployed private key is
+ copied to the new key file. Thus if you're publishing DANE TLSA
+ "3 1 1" or "3 1 2" records, there is no need to update DNS
+ records. The <i>algorithm</i> <b>and</b> <i>bits</i> arguments are used only if no
+ key of the same algorithm is already configured.
+
+ This command is rarely needed, because the self-signed certifi-
+ cates generated have a 100-year nominal expiration time. The
+ underlying public key algorithms may well be obsoleted by quan-
+ tum computers long before then.
+
+ The most plausible reason for using this command is when the
+ system hostname changes, and you'd like the name in the certifi-
+ cate to match the new hostname (not required for DANE "3 1 1",
+ but some needlessly picky non-DANE opportunistic TLS clients may
+ log warnings or even refuse to communicate).
+
+ <b>deploy-server-cert</b> <i>certfile keyfile</i>
+ This subcommand deploys the certificates in <i>certfile</i> and private
+ key in <i>keyfile</i> (which are typically generated by the commands
+ above, which will also log and display the full command needed
+ to deploy the generated key and certificate). After the new
+ certificate and key are deployed any obsolete keys and certifi-
+ cates may be removed by hand. The <i>keyfile</i> and <i>certfile</i> file-
+ names are relative to the Postfix configuration directory.
+
+ <b>output-server-csr</b> [<b>-k</b> <i>keyfile</i>] [<i>hostname</i>
+ Write to stdout a certificate signing request (CSR) for the
+ specified <i>keyfile</i>.
+
+ Instead of a filename, <i>keyfile</i> may specify one of the supported
+ key algorithm names (see "<b>postconf -T public-key-algorithms</b>").
+ In that case, the corresponding setting from <a href="postconf.5.html">main.cf</a> is used to
+ locate the <i>keyfile</i>. The default <i>keyfile</i> value is <b>rsa</b>.
+
+ Zero or more <i>hostname</i> values can be specified. The default
+ <i>hostname</i> is the value of <b><a href="postconf.5.html#myhostname">myhostname</a></b> <a href="postconf.5.html">main.cf</a> parameter.
+
+ <b>output-server-tlsa</b> [<b>-h</b> <i>hostname</i>] [<i>keyfile</i> <b>...</b>]
+ Write to stdout a DANE TLSA RRset suitable for a port 25 SMTP
+ server on host <i>hostname</i> with keys from any of the specified <i>key-</i>
+ <i>file</i> values. The default <i>hostname</i> is the value of the <b>myhost-</b>
+ <b>name</b> <a href="postconf.5.html">main.cf</a> parameter.
+
+ Instead of filenames, the <i>keyfile</i> list may specify names of sup-
+ ported public key algorithms (see "<b>postconf -T public-key-algo-</b>
+ <b>rithms</b>"). In that case, the actual <i>keyfile</i> list uses the values
+ of the corresponding Postfix server TLS key file parameters. If
+ a parameter value is empty or equal to <b>none</b>, then no TLSA record
+ is output for that algorithm.
+
+ The default <i>keyfile</i> list consists of the two supported algo-
+ rithms <b>rsa</b> and <b>ecdsa</b>.
+
+<b>CONFIGURATION PARAMETERS</b>
+ The "<b>postfix tls</b> <i>subcommand</i> <b>...</b>" feature reads or updates the following
+ configuration parameters.
+
+ <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
+ The location of all postfix administrative commands.
+
+ <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ figuration files.
+
+ <b><a href="postconf.5.html#openssl_path">openssl_path</a> (openssl)</b>
+ The location of the OpenSSL command line program <b>openssl</b>(1).
+
+ <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
+ Enable additional Postfix SMTP client logging of TLS activity.
+
+ <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
+ The default SMTP TLS security level for the Postfix SMTP client;
+ when a non-empty value is specified, this overrides the obsolete
+ parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and
+ <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
+
+ <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
+ Name of the file containing the optional Postfix SMTP client TLS
+ session cache.
+
+ <b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b>
+ File with the Postfix SMTP server RSA certificate in PEM format.
+
+ <b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b>
+ File with the Postfix SMTP server ECDSA certificate in PEM for-
+ mat.
+
+ <b><a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b>
+ File with the Postfix SMTP server ECDSA private key in PEM for-
+ mat.
+
+ <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
+ File with the Postfix SMTP server RSA private key in PEM format.
+
+ <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
+ Enable additional Postfix SMTP server logging of TLS activity.
+
+ <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
+ Request that the Postfix SMTP server produces Received: message
+ headers that include information about the protocol and cipher
+ used, as well as the remote SMTP client CommonName and client
+ certificate issuer CommonName.
+
+ <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
+ The SMTP TLS security level for the Postfix SMTP server; when a
+ non-empty value is specified, this overrides the obsolete param-
+ eters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
+
+ <b><a href="postconf.5.html#tls_random_source">tls_random_source</a> (see 'postconf -d' output)</b>
+ The external entropy source for the in-memory <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> pseudo
+ random number generator (PRNG) pool.
+
+<b>SEE ALSO</b>
+ <a href="master.8.html">master(8)</a> Postfix master program
+ <a href="postfix.1.html">postfix(1)</a> Postfix administrative interface
+
+<b>LICENSE</b>
+ The Secure Mailer license must be distributed with this software.
+
+<b>HISTORY</b>
+ The "<b>postfix tls</b>" command was introduced with Postfix version 3.1.
+
+<b>AUTHOR(S)</b>
+ Viktor Dukhovni
+
+ POSTFIX-TLS(1)
+</pre> </body> </html>
fix 2.0 and earlier, use "<b>$<a href="postconf.5.html#config_directory">config_directory</a>/post-install</b>
<b>set-permissions</b>".
+ <b>tls</b> <i>subcommand</i> <b>...</b>
+ Enable opportunistic TLS in the Postfix SMTP client or server,
+ and manage Postfix SMTP server TLS private keys and certifi-
+ cates. See <a href="postfix-tls.1.html">postfix-tls(1)</a> for documentation.
+
+ This feature is available in Postfix 3.1 and later.
+
<b>upgrade-configuration</b> [<i>name</i>=<i>value ...</i>]
Update the <a href="postconf.5.html"><b>main.cf</b></a> and <a href="master.5.html"><b>master.cf</b></a> files with information that
Postfix needs in order to run: add or update services, and add
(postfix-*.so) that have a relative pathname in the dynam-
icmaps.cf file.
+ Available in Postfix version 3.1 and later:
+
+ <b>openssl_path (openssl)</b>
+ The location of the OpenSSL command line program <b>openssl</b>(1).
+
Other configuration parameters:
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
<a href="postcat.1.html">postcat(1)</a>, examine Postfix queue file
<a href="postconf.1.html">postconf(1)</a>, Postfix configuration utility
<a href="postfix.1.html">postfix(1)</a>, Postfix control program
+ <a href="postfix-tls.1.html">postfix-tls(1)</a>, Postfix TLS management
<a href="postkick.1.html">postkick(1)</a>, trigger Postfix daemon
<a href="postlock.1.html">postlock(1)</a>, Postfix-compatible locking
<a href="postlog.1.html">postlog(1)</a>, Postfix-compatible logging
# data_directory default_database_type html_directory
# mail_spool_directory mailq_path manpage_directory meta_directory
# newaliases_path queue_directory readme_directory sendmail_path
-# shlib_directory
+# shlib_directory openssl_path
#
# See the postconf(5) manpage for a description of these
# parameters.
queue_directory_macro=DEF_QUEUE_DIR
sendmail_path_macro=DEF_SENDMAIL_PATH
shlib_directory_macro=DEF_SHLIB_DIR
+openssl_path_macro=DEF_OPENSSL_PATH
# shlib_directory is checked here because "no" is not a good answer.
# Instead, build with "dynamicmaps=no" and "shared=no" as appropriate.
for parm_name in command_directory config_directory daemon_directory \
data_directory mail_spool_directory mailq_path meta_directory \
- newaliases_path queue_directory sendmail_path shlib_directory
+ newaliases_path queue_directory sendmail_path shlib_directory \
+ openssl_path
do
eval parm_val=\"\$$parm_name\"
eval parm_macro=\"\$${parm_name}_macro\"
COMMANDS= man1/postalias.1 man1/postcat.1 man1/postconf.1 man1/postfix.1 \
man1/postkick.1 man1/postlock.1 man1/postlog.1 man1/postdrop.1 \
man1/postmap.1 man1/postmulti.1 man1/postqueue.1 man1/postsuper.1 \
- man1/sendmail.1 man1/mailq.1 man1/newaliases.1
+ man1/sendmail.1 man1/mailq.1 man1/newaliases.1 man1/postfix-tls.1
CONFIG = man5/access.5 man5/aliases.5 man5/canonical.5 man5/relocated.5 \
man5/transport.5 man5/virtual.5 man5/pcre_table.5 man5/regexp_table.5 \
man5/cidr_table.5 man5/tcp_table.5 man5/header_checks.5 \
(cmp -s junk $? || mv junk $?) && rm -f junk
../mantools/srctoman $? >$@
+man1/postfix-tls.1: ../conf/postfix-tls-script
+ ../mantools/fixman ../proto/postconf.proto $? >junk && \
+ (cmp -s junk $? || mv junk $?) && rm -f junk
+ ../mantools/srctoman - $? >$@
+
man1/postkick.1: ../src/postkick/postkick.c
../mantools/fixman ../proto/postconf.proto $? >junk && \
(cmp -s junk $? || mv junk $?) && rm -f junk
\fBpostconf\fR \fB\-t\fR [\fB\-v\fR] [\fB\-c \fIconfig_dir\fR]
[\fItemplate_file\fR]
+\fBManaging TLS features:\fR
+
+\fBpostconf\fR [\fB\-v\fR] [\fB\-c \fIconfig_dir\fR] \fB\-T \fImode\fR
+
\fBManaging other configuration:\fR
\fBpostconf\fR \fB\-a\fR|\fB\-A\fR|\fB\-l\fR|\fB\-m\fR [\fB\-v\fR]
line (in shell language: "").
This feature is available with Postfix 2.3 and later.
+.IP "\fB\-T \fImode\fB"
+If Postfix is compiled without TLS support, the \fB\-T\fR option
+produces no output. Otherwise, if an invalid \fImode\fR is specified,
+the \fB\-T\fR option reports an error and exits with a non\-zero status
+code. The valid modes are:
+.RS
+.IP \fBcompile\-version\fR
+Output the OpenSSL version that Postfix was compiled with
+(i.e. the OpenSSL version in a header file). The output
+format is the same as with the command "\fBopenssl version\fR".
+.IP \fBrun\-version\fR
+Output the OpenSSL version that Postfix is linked with at
+runtime (i.e. the OpenSSL version in a shared library).
+.IP \fBpublic\-key\-algorithms\fR
+Output the lower\-case names of the supported public\-key
+algorithms, one per\-line.
+.RE
+.IP
+This feature is available with Postfix 3.1 and later.
.IP \fB\-v\fR
Enable verbose logging for debugging purposes. Multiple
\fB\-v\fR options make the software increasingly verbose.
--- /dev/null
+.TH POSTFIX-TLS 1
+.ad
+.fi
+.SH NAME
+postfix-tls
+\-
+Postfix TLS management
+.SH "SYNOPSIS"
+.na
+.nf
+\fBpostfix tls\fR \fIsubcommand\fB ...\fR
+.SH DESCRIPTION
+.ad
+.fi
+The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature enables
+opportunistic TLS in the Postfix SMTP client or server, and
+manages Postfix SMTP server private keys and certificates.
+
+The following subcommands are available:
+.IP "\fBenable\-client\fR [\fB\-r \fIrandsource\fR]"
+Enable opportunistic TLS in the Postfix SMTP client, if all
+SMTP client TLS settings are at their default values.
+Otherwise, suggest parameter settings without making any
+changes.
+.sp
+Specify \fIrandsource\fR to update the value of the
+\fBtls_random_source\fR configuration parameter (typically,
+/dev/urandom). Prepend \fBdev:\fR to device paths or
+\fBegd:\fR to EGD socket paths.
+.IP "\fBenable\-server\fR [\fB\-r \fIrandsource\fR] [\fB\-a \fIalgorithm\fR] [\fB\-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+Create a new private key and self\-signed server certificate
+and enable opportunistic TLS in the Postfix SMTP server,
+if all SMTP server TLS settings are at their default values.
+Otherwise, suggest parameter settings without making any
+changes.
+.sp
+The \fIrandsource\fR parameter is as with \fBenable\-client\fR
+above, and the remaining options are as with \fBnew\-server\-key\fR
+below.
+.IP "\fBnew\-server\-key\fR [\fB\-a \fIalgorithm\fR] [\fB\-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+Create a new private key and self\-signed server certificate,
+but do not deploy them. Log and display commands to deploy
+the new key and corresponding certificate. Also log and
+display commands to output a corresponding CSR or TLSA
+records which may be needed to obtain a CA certificate or
+to update DNS before the new key can be deployed.
+.sp
+The \fIalgorithm\fR defaults to \fBrsa\fR, and \fIbits\fR
+defaults to 2048. If you choose the \fBecdsa\fR \fIalgorithm\fR
+then \fIbits\fR will be an EC curve name (by default
+\fBsecp256r1\fR, also known as prime256v1). Curves other
+than \fBsecp256r1\fR, \fBsecp384r1\fR or \fBsecp521r1\fR
+are unlikely to be widely interoperable. When generating
+EC keys, use one of these three. DSA keys are obsolete and
+are not supported.
+.sp
+Note: ECDSA support requires OpenSSL 1.0.0 or later and may
+not be available on your system. Not all client systems
+will support ECDSA, so you'll generally want to deploy both
+RSA and ECDSA certificates to make use of ECDSA with
+compatible clients and RSA with the rest. If you want to
+deploy certificate chains with intermediate CAs for both
+RSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier
+versions may not handle multiple chain files correctly.
+.sp
+The first \fIhostname\fR argument will be the \fBCommonName\fR
+of both the subject and issuer of the self\-signed certificate.
+It, and any additional \fIhostname\fR arguments, will also
+be listed as DNS alternative names in the certificate. If
+no \fIhostname\fR is provided the value of the \fBmyhostname\fR
+main.cf parameter will be used.
+.sp
+For RSA, the generated private key and certificate files
+are named \fBkey\-\fIyyyymmdd\-hhmmss\fB.pem\fR and
+\fBcert\-\fIyyyymmdd\-hhmmss\fB.pem\fR, where \fIyyyymmdd\fR
+is the calendar date and \fIhhmmss\fR is the time of day
+in UTC. For ECDSA, the file names start with \fBeckey\-\fR
+and \fBeccert\-\fR instead of \fBkey\-\fR and \fBcert\-\fR
+respectively.
+.sp
+Before deploying the new key and certificate with DANE,
+update the DNS with new DANE TLSA records, then wait for
+secondary nameservers to update and then for stale records
+in remote DNS caches to expire.
+.sp
+Before deploying a new CA certificate make sure to include
+all the required intermediate issuing CA certificates in
+the certificate chain file. The server certificate must
+be the first certificate in the chain file. Overwrite and
+deploy the file with the original self\-signed certificate
+that was generated together with the key.
+.IP "\fBnew\-server\-cert\fR [\fB\-a \fIalgorithm\fR] [\fB\-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+This is just like \fBnew\-server\-key\fR except that, rather
+than generating a new private key, any currently deployed
+private key is copied to the new key file. Thus if you're
+publishing DANE TLSA "3 1 1" or "3 1 2" records, there is
+no need to update DNS records. The \fIalgorithm\fB and
+\fIbits\fR arguments are used only if no key of the same
+algorithm is already configured.
+.sp
+This command is rarely needed, because the self\-signed
+certificates generated have a 100\-year nominal expiration
+time. The underlying public key algorithms may well be
+obsoleted by quantum computers long before then.
+.sp
+The most plausible reason for using this command is when
+the system hostname changes, and you'd like the name in the
+certificate to match the new hostname (not required for
+DANE "3 1 1", but some needlessly picky non\-DANE opportunistic
+TLS clients may log warnings or even refuse to communicate).
+.IP "\fBdeploy\-server\-cert \fIcertfile\fB \fIkeyfile\fR"
+This subcommand deploys the certificates in \fIcertfile\fR
+and private key in \fIkeyfile\fR (which are typically
+generated by the commands above, which will also log and
+display the full command needed to deploy the generated key
+and certificate). After the new certificate and key are
+deployed any obsolete keys and certificates may be removed
+by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames
+are relative to the Postfix configuration directory.
+.IP "\fBoutput\-server\-csr\fR [\fB\-k \fIkeyfile\fR] [\fIhostname\fB
+...\fR]"
+Write to stdout a certificate signing request (CSR) for the
+specified \fIkeyfile\fR.
+.sp
+Instead of a filename, \fIkeyfile\fR may specify one of the
+supported key algorithm names (see "\fBpostconf \-T
+public\-key\-algorithms\fR"). In that case, the corresponding
+setting from main.cf is used to locate the \fIkeyfile\fR.
+The default \fIkeyfile\fR value is \fBrsa\fR.
+.sp
+Zero or more \fIhostname\fR values can be specified. The
+default \fIhostname\fR is the value of \fBmyhostname\fR
+main.cf parameter.
+.IP "\fBoutput\-server\-tlsa\fR [\fB\-h \fIhostname\fR] [\fIkeyfile\fB ...\fR]"
+Write to stdout a DANE TLSA RRset suitable for a port 25
+SMTP server on host \fIhostname\fR with keys from any of
+the specified \fIkeyfile\fR values. The default \fIhostname\fR
+is the value of the \fBmyhostname\fR main.cf parameter.
+.sp
+Instead of filenames, the \fIkeyfile\fR list may specify
+names of supported public key algorithms (see "\fBpostconf
+\-T public\-key\-algorithms\fR"). In that case, the actual
+\fIkeyfile\fR list uses the values of the corresponding
+Postfix server TLS key file parameters. If a parameter
+value is empty or equal to \fBnone\fR, then no TLSA record
+is output for that algorithm.
+.sp
+The default \fIkeyfile\fR list consists of the two supported
+algorithms \fBrsa\fR and \fBecdsa\fR.
+.SH "CONFIGURATION PARAMETERS"
+.na
+.nf
+.ad
+.fi
+The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature reads
+or updates the following configuration parameters.
+.IP "\fBcommand_directory (see 'postconf -d' output)\fR"
+The location of all postfix administrative commands.
+.IP "\fBconfig_directory (see 'postconf -d' output)\fR"
+The default location of the Postfix main.cf and master.cf
+configuration files.
+.IP "\fBopenssl_path (openssl)\fR"
+The location of the OpenSSL command line program \fBopenssl\fR(1).
+.IP "\fBsmtp_tls_loglevel (0)\fR"
+Enable additional Postfix SMTP client logging of TLS activity.
+.IP "\fBsmtp_tls_security_level (empty)\fR"
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non\-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+.IP "\fBsmtp_tls_session_cache_database (empty)\fR"
+Name of the file containing the optional Postfix SMTP client
+TLS session cache.
+.IP "\fBsmtpd_tls_cert_file (empty)\fR"
+File with the Postfix SMTP server RSA certificate in PEM format.
+.IP "\fBsmtpd_tls_eccert_file (empty)\fR"
+File with the Postfix SMTP server ECDSA certificate in PEM format.
+.IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
+File with the Postfix SMTP server ECDSA private key in PEM format.
+.IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
+File with the Postfix SMTP server RSA private key in PEM format.
+.IP "\fBsmtpd_tls_loglevel (0)\fR"
+Enable additional Postfix SMTP server logging of TLS activity.
+.IP "\fBsmtpd_tls_received_header (no)\fR"
+Request that the Postfix SMTP server produces Received: message
+headers that include information about the protocol and cipher used,
+as well as the remote SMTP client CommonName and client certificate issuer
+CommonName.
+.IP "\fBsmtpd_tls_security_level (empty)\fR"
+The SMTP TLS security level for the Postfix SMTP server; when
+a non\-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls.
+.IP "\fBtls_random_source (see 'postconf -d' output)\fR"
+The external entropy source for the in\-memory \fBtlsmgr\fR(8) pseudo
+random number generator (PRNG) pool.
+.SH "SEE ALSO"
+.na
+.nf
+master(8) Postfix master program
+postfix(1) Postfix administrative interface
+.SH "LICENSE"
+.na
+.nf
+.ad
+.fi
+The Secure Mailer license must be distributed with this software.
+.SH HISTORY
+.ad
+.fi
+The "\fBpostfix tls\fR" command was introduced with Postfix
+version 3.1.
+.SH "AUTHOR(S)"
+.na
+.nf
+Viktor Dukhovni
This feature is available in Postfix 2.1 and later. With
Postfix 2.0 and earlier, use "\fB$config_directory/post\-install
set\-permissions\fR".
+.IP "\fBtls\fR \fIsubcommand\fB ...\fR
+Enable opportunistic TLS in the Postfix SMTP client or
+server, and manage Postfix SMTP server TLS private keys and
+certificates. See postfix\-tls(1) for documentation.
+.sp
+This feature is available in Postfix 3.1 and later.
.IP "\fBupgrade\-configuration\fR [\fIname\fR=\fIvalue ...\fR]
Update the \fBmain.cf\fR and \fBmaster.cf\fR files with information
that Postfix needs in order to run: add or update services, and add
plugins (postfix\-*.so) that have a relative pathname in the
dynamicmaps.cf file.
.PP
+Available in Postfix version 3.1 and later:
+.IP "\fBopenssl_path (openssl)\fR"
+The location of the OpenSSL command line program \fBopenssl\fR(1).
+.PP
Other configuration parameters:
.IP "\fBimport_environment (see 'postconf -d' output)\fR"
The list of environment parameters that a Postfix process will
postcat(1), examine Postfix queue file
postconf(1), Postfix configuration utility
postfix(1), Postfix control program
+postfix\-tls(1), Postfix TLS management
postkick(1), trigger Postfix daemon
postlock(1), Postfix\-compatible locking
postlog(1), Postfix\-compatible logging
and reject_unknown_recipient_domain.
.PP
This feature is available in Postfix 3.0 and later.
+.SH openssl_path (default: openssl)
+The location of the OpenSSL command line program \fBopenssl\fR(1). This
+is used by the "\fBpostfix tls\fR" command to create private keys,
+certificate signing requests, self\-signed certificates, and to
+compute public key digests for DANE TLSA records. In multi\-instance
+environments, this parameter is always determined from the configuration
+of the default Postfix instance.
+.PP
+Example:
+.sp
+.in +4
+.nf
+.na
+.ft C
+/etc/postfix/main.cf:
+ # NetBSD pkgsrc:
+ openssl_path = /usr/pkg/bin/openssl
+ # Local build:
+ openssl_path = /usr/local/bin/openssl
+.fi
+.ad
+.ft R
+.in -4
+.PP
+This feature is available in Postfix 3.1 and later.
.SH owner_request_special (default: yes)
Give special treatment to owner\-listname and listname\-request
address localparts: don't split such addresses when the
s;\bnewaliases_path\b;<a href="postconf.5.html#newaliases_path">$&</a>;g;
s;\bnon_fqdn_reject_code\b;<a href="postconf.5.html#non_fqdn_reject_code">$&</a>;g;
s;\bnotify_classes\b;<a href="postconf.5.html#notify_classes">$&</a>;g;
+ s;\bopenssl_path\b;<a href="postconf.5.html#openssl_path">$&</a>;g;
s;\bowner_request_special\b;<a href="postconf.5.html#owner_request_special">$&</a>;g;
s;\bpar[-</bB>]*\n* *[<bB>]*ent_domain_matches_subdomains\b;<a href="postconf.5.html#parent_domain_matches_subdomains">$&</a>;g;
s;\bpermit_mx_backup_networks\b;<a href="postconf.5.html#permit_mx_backup_networks">$&</a>;g;
s/[<bB>]*post[-<\/bB>]*\n*[ <bB>]*conf[<\/bB>]*\(1\)/<a href="postconf.1.html">$&<\/a>/g;
s/[<bB>]*postdrop[<\/bB>]*\(1\)/<a href="postdrop.1.html">$&<\/a>/g;
s/[<bB>]*post[-<\/bB>]*\n* *[<bB>]*fix[<\/bB>]*\(1\)/<a href="postfix.1.html">$&<\/a>/g;
+ s/[<bB>]*post[-<\/bB>]*\n* *[<bB>]*fix-tls[<\/bB>]*\(1\)/<a href="postfix-tls.1.html">$&<\/a>/g;
s/[<bB>]*postkick[<\/bB>]*\(1\)/<a href="postkick.1.html">$&<\/a>/g;
s/[<bB>]*postlock[<\/bB>]*\(1\)/<a href="postlock.1.html">$&<\/a>/g;
s/[<bB>]*postlog[<\/bB>]*\(1\)/<a href="postlog.1.html">$&<\/a>/g;
.fi/
/^DIAGNOSTICS/s//.SH &\
.ad\
+.fi/
+ /^HISTORY/s//.SH &\
+.ad\
.fi/
/^[A-Z][A-Z][A-Z][^a-z]*$/s//.SH "&"\
.na\
<tr> <td>newaliases_path</td> <td>/usr/bin/newaliases</td> </tr>
+<tr> <td>openssl_path</td> <td>openssl</td> </tr>
+
<tr> <td>queue_directory</td> <td>/var/spool/postfix</td> </tr>
<tr> <td>readme_directory</td> <td>no</td> </tr>
sign your own Postfix public key certificate, you get TLS encryption
but no TLS authentication. This is sufficient for testing, and
for exchanging email with sites that you have no trust relationship
-with. For real authentication, your Postfix public key certificate
-needs to be signed by a recognized Certification Authority, and
-Postfix needs to be configured with a list of public key certificates
-of Certification Authorities, so that Postfix can verify the public key
-certificates of remote hosts. </p>
+with. For real authentication you need also enable DNSSEC record
+signing for your domain and publish TLSA records and/or your Postfix
+public key certificate needs to be signed by a recognized Certification
+Authority. To authenticate the certificates of remote host you
+need a DNSSEC-validating local resolver and to enable <a
+href="#client_tls_dane">DANE</a> authentication and/or configure
+the Postfix SMTP client with a list of public key certificates of
+Certification Authorities, but make sure to read about the <a
+href="#client_tls_limits">limitations</a> of the latter approach.
+</p>
<p> In the examples below, user input is shown in <b><tt>bold</tt></b>
font, and a "<tt>#</tt>" prompt indicates a super-user shell. </p>
<ul>
-<li> <p> <a name="#self-signed">Self-signed server certificate</a>.</p>
+<li> <p> <a href="#built-in">Quick-start TLS with Postfix ≥ 3.1</a>.</p>
+
+<li> <p> <a href="#self-signed">Self-signed server certificate</a>.</p>
+
+<li> <p> <a href="#private-ca">Private Certification Authority</a>. </p>
+
+</ul>
+
+<h3><a name="built-in">Quick-start TLS with Postfix ≥ 3.1</a></h3>
-<li> <p> <a name="#private-ca">Private Certification Authority</a>. </p>
+<p> Postfix 3.1 provides built-in support for enabling TLS in the
+SMTP client and server and for ongoing certificate and DANE TLSA
+record management.
+<ul>
+<li> <p> <a href="#quick-client">Quick-start TLS in the Postfix ≥ 3.1 SMTP client</a>. </p>
+<li> <p> <a href="#quick-server">Quick-start TLS in the Postfix ≥ 3.1 SMTP server</a>. </p>
</ul>
+<h4> <a name="quick-client">Quick-start TLS in the Postfix ≥ 3.1 SMTP client</a>. </h4>
+
+<p> If you are using Postfix 3.1 or later, and your SMTP client TLS
+settings are in their default state, you can enable <a
+href="#client_tls_may">opportunistic</a> TLS in the SMTP client as
+follows: </p>
+
+<blockquote>
+<pre>
+# postfix tls enable-client
+# postfix reload
+</pre>
+</blockquote>
+
+<p> If some of the Postfix SMTP client TLS settings are not in their
+default state, this will not make any changes, but will instead
+suggest the minimal required settings for SMTP client TLS. The
+"postfix reload" command is optional, it is only needed if you want
+the settings to take effect right away. Note, this does not enable
+trust in any public certification authorities, and does not configure
+client TLS certificates as these are largely pointless with <a
+href="#client_tls_may">opportunistic</a> TLS. </p>
+
+<p> There is not yet a turn-key command for enabling <a
+href="#client_tls_dane">DANE</a> authentication. This is because
+DANE requires changes to your <b>resolv.conf</b> file and a
+corresponding DNSSEC-validating resolver local to the Postfix host,
+these changes are difficult to automate in a portable way. </p>
+
+<p> If you're willing to revert your settings to the defaults and
+switch to a "stock" opportunistic TLS configuration, then you can:
+erase all the SMTP client TLS settings and then enable client TLS: </p>
+
+<blockquote>
+<pre>
+# postconf -X `postconf -nH | egrep '^smtp(_|_enforce_|_use_)tls'`
+# postfix tls enable-client
+# postfix reload
+</pre>
+</blockquote>
+
+<h4><a name="quick-server">Quick-start TLS in the Postfix ≥ 3.1 SMTP server</a>.</h4>
+
+<p> If you are using Postfix 3.1 or later, and your SMTP server TLS
+settings are in their default state, you can enable
+opportunistic TLS in the SMTP server as follows: </p>
+
+<blockquote>
+<pre>
+# postfix tls enable-server
+# postfix reload
+</pre>
+</blockquote>
+
+<p> If some of the Postfix SMTP client TLS settings are not in their
+default state, this will not make any changes, but will instead
+suggest the minimal required settings for SMTP client TLS. The
+"postfix reload" command is optional, it is only needed if you want
+the settings to take effect right away. This will generate a
+self-signed private key and certificate and enable TLS in the Postfix
+SMTP server. </p>
+
+<p> If you're willing to revert your settings to the defaults and
+switch to a "stock" server TLS configuration, then you can: erase
+all the SMTP server TLS settings and then enable server TLS: </p>
+
+<blockquote>
+<pre>
+# postconf -X `postconf -nH | egrep '^smtpd(_|_enforce_|_use_)tls'`
+# postfix tls enable-server
+# postfix reload
+</pre>
+</blockquote>
+
+<p> Postfix ≥ 3.1 provides additional built-in support for ongoing
+management of TLS in the SMTP server, via additional "postfix tls"
+sub-commands. These make it easy to generate certificate signing
+requests, create and deploy new keys and certificates, and generate
+DANE TLSA records. See the postfix-tls(1) documentation for details.
+</p>
+
<h3><a name="self-signed">Self-signed server certificate</a></h3>
<p> The following commands (credits: Viktor Dukhovni) generate and
policy is backwards-compatible with earlier Postfix versions.
</p>
+%PARAM openssl_path openssl
+
+<p>
+The location of the OpenSSL command line program openssl(1). This
+is used by the "<b>postfix tls</b>" command to create private keys,
+certificate signing requests, self-signed certificates, and to
+compute public key digests for DANE TLSA records. In multi-instance
+environments, this parameter is always determined from the configuration
+of the default Postfix instance.
+</p>
+
+<p> Example: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+ # NetBSD pkgsrc:
+ openssl_path = /usr/pkg/bin/openssl
+ # Local build:
+ openssl_path = /usr/local/bin/openssl
+</pre>
+</blockquote>
+
+<p>
+This feature is available in Postfix 3.1 and later.
+</p>
+
%PARAM address_verify_pending_request_limit see "postconf -d" output
<p> A safety limit that prevents address verification requests from
#define DEF_NEWALIAS_PATH "/usr/bin/newaliases"
#endif
+#define VAR_OPENSSL_PATH "openssl_path"
+#ifndef DEF_OPENSSL_PATH
+#define DEF_OPENSSL_PATH "openssl"
+#endif
+
#define VAR_MANPAGE_DIR "manpage_directory"
#ifndef DEF_MANPAGE_DIR
#define DEF_MANPAGE_DIR "/usr/local/man"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20160206"
+#define MAIL_RELEASE_DATE "20160207"
#define MAIL_VERSION_NUMBER "3.1"
#ifdef SNAPSHOT
SAMPLES = ../../conf/main.cf.default
INC_DIR = ../../include
LIBS = ../../lib/libxsasl.a \
+ ../../lib/lib$(LIB_PREFIX)tls$(LIB_SUFFIX) \
+ ../../lib/lib$(LIB_PREFIX)dns$(LIB_SUFFIX) \
../../lib/lib$(LIB_PREFIX)global$(LIB_SUFFIX) \
../../lib/lib$(LIB_PREFIX)util$(LIB_SUFFIX)
postconf_other.o: ../../include/argv.h
postconf_other.o: ../../include/check_arg.h
postconf_other.o: ../../include/dict.h
+postconf_other.o: ../../include/dns.h
postconf_other.o: ../../include/htable.h
postconf_other.o: ../../include/mbox_conf.h
+postconf_other.o: ../../include/myaddrinfo.h
postconf_other.o: ../../include/myflock.h
postconf_other.o: ../../include/name_code.h
+postconf_other.o: ../../include/name_mask.h
+postconf_other.o: ../../include/sock_addr.h
postconf_other.o: ../../include/sys_defs.h
+postconf_other.o: ../../include/tls.h
postconf_other.o: ../../include/vbuf.h
postconf_other.o: ../../include/vstream.h
postconf_other.o: ../../include/vstring.h
/* \fBpostconf\fR \fB-t\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR]
/* [\fItemplate_file\fR]
/*
+/* \fBManaging TLS features:\fR
+/*
+/* \fBpostconf\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-T \fImode\fR
+/*
/* \fBManaging other configuration:\fR
/*
/* \fBpostconf\fR \fB-a\fR|\fB-A\fR|\fB-l\fR|\fB-m\fR [\fB-v\fR]
/* line (in shell language: "").
/*
/* This feature is available with Postfix 2.3 and later.
+/* .IP "\fB-T \fImode\fB"
+/* If Postfix is compiled without TLS support, the \fB-T\fR option
+/* produces no output. Otherwise, if an invalid \fImode\fR is specified,
+/* the \fB-T\fR option reports an error and exits with a non-zero status
+/* code. The valid modes are:
+/* .RS
+/* .IP \fBcompile-version\fR
+/* Output the OpenSSL version that Postfix was compiled with
+/* (i.e. the OpenSSL version in a header file). The output
+/* format is the same as with the command "\fBopenssl version\fR".
+/* .IP \fBrun-version\fR
+/* Output the OpenSSL version that Postfix is linked with at
+/* runtime (i.e. the OpenSSL version in a shared library).
+/* .IP \fBpublic-key-algorithms\fR
+/* Output the lower-case names of the supported public-key
+/* algorithms, one per-line.
+/* .RE
+/* .IP
+/* This feature is available with Postfix 3.1 and later.
/* .IP \fB-v\fR
/* Enable verbose logging for debugging purposes. Multiple
/* \fB-v\fR options make the software increasingly verbose.
/* Major modes. */
PCF_SHOW_SASL_SERV | PCF_SHOW_SASL_CLNT | PCF_EXP_DSN_TEMPL \
|PCF_SHOW_LOCKS | PCF_SHOW_MAPS | PCF_DUMP_DSN_TEMPL | PCF_MAIN_PARAM \
- |PCF_MASTER_ENTRY | PCF_MASTER_FLD | PCF_MASTER_PARAM,
+ |PCF_MASTER_ENTRY | PCF_MASTER_FLD | PCF_MASTER_PARAM | PCF_SHOW_TLS,
/* Modifiers. */
PCF_SHOW_DEFS | PCF_EDIT_CONF | PCF_SHOW_NONDEF | PCF_COMMENT_OUT \
|PCF_EDIT_EXCL,
{PCF_EXP_DSN_TEMPL, 0},
{PCF_SHOW_LOCKS, 0},
{PCF_SHOW_MAPS, 0,},
+ {PCF_SHOW_TLS, 0,},
{PCF_DUMP_DSN_TEMPL, 0},
{PCF_MAIN_PARAM, (PCF_EDIT_CONF | PCF_EDIT_EXCL | PCF_COMMENT_OUT \
|PCF_FOLD_LINE | PCF_HIDE_NAME | PCF_PARAM_CLASS \
"-p", PCF_MAIN_PARAM,
"-P", PCF_MASTER_PARAM,
"-t", PCF_DUMP_DSN_TEMPL,
+ "-T", PCF_SHOW_TLS,
"-x", PCF_SHOW_EVAL,
"-X", PCF_EDIT_EXCL,
"-#", PCF_COMMENT_OUT,
" [-p (main.cf, default)]"
" [-P (master.cf parameters)]"
" [-t (bounce templates)]"
+ " [-T compile-version|run-version|public-key-algorithms]"
" [-v (verbose)]"
" [-x (expand parameter values)]"
" [-X (exclude)]"
0,
};
ARGV *override_params = 0;
+ const char *pcf_tls_arg = 0;
/*
* Fingerprint executables and core dumps.
/*
* Parse JCL.
*/
- while ((ch = GETOPT(argc, argv, "aAbc:C:deEfFhHlmMno:pPtvxX#")) > 0) {
+ while ((ch = GETOPT(argc, argv, "aAbc:C:deEfFhHlmMno:pPtT:vxX#")) > 0) {
switch (ch) {
case 'a':
pcf_cmd_mode |= PCF_SHOW_SASL_SERV;
ext_argv = argv_alloc(2);
argv_add(ext_argv, "bounce", "-SVndump_templates", (char *) 0);
break;
+ case 'T':
+ if (pcf_cmd_mode & PCF_SHOW_TLS)
+ msg_fatal("At most one -T <mode> option may be specified");
+ pcf_cmd_mode |= PCF_SHOW_TLS;
+ pcf_tls_arg = optarg;
+ break;
case 'x':
pcf_cmd_mode |= PCF_SHOW_EVAL;
break;
pcf_show_sasl(PCF_SHOW_SASL_CLNT);
}
+ /*
+ * Show TLS info and exit.
+ */
+ else if (pcf_cmd_mode & PCF_SHOW_TLS) {
+ pcf_show_tls(pcf_tls_arg);
+ }
+
/*
* Edit main.cf or master.cf.
*/
#define PCF_DUMP_DSN_TEMPL (1<<18) /* show bounce templates */
#define PCF_MASTER_PARAM (1<<19) /* manage master.cf -o name=value */
#define PCF_HIDE_VALUE (1<<20) /* hide main.cf/master.cf =value */
+#define PCF_SHOW_TLS (1<<21) /* TLS support introspection */
#define PCF_DEF_MODE 0
extern void pcf_show_maps(void);
extern void pcf_show_locks(void);
extern void pcf_show_sasl(int);
+extern void pcf_show_tls(const char *);
/* LICENSE
/* .ad
/*
/* void pcf_show_sasl(mode)
/* int mode;
+/*
+/* void pcf_show_tls(what)
+/* const char *what;
/* DESCRIPTION
/* pcf_show_maps() lists the available map (lookup table)
/* types.
/* pcf_show_sasl() shows the available SASL authentication
/* plugin types.
/*
+/* pcf_show_tls() reports the "compile-version" or "run-version"
+/* of the TLS library, or the supported public-key algorithms.
+/*
/* Arguments:
/* .IP mode
/* Show server information if the PCF_SHOW_SASL_SERV flag is
/* set, otherwise show client information.
+/* .IP what
+/* One of the literals "compile-version", "run-version" or
+/* "public-key-algorithms".
/* DIAGNOSTICS
/* Problems are reported to the standard error stream.
/* LICENSE
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
#include <vstream.h>
#include <argv.h>
#include <dict.h>
+#include <msg.h>
/* Global library. */
#include <xsasl.h>
+/* TLS library. */
+
+#include <tls.h>
+
/* Application-specific. */
#include <postconf.h>
vstream_printf("%s\n", sasl_argv->argv[i]);
argv_free(sasl_argv);
}
+
+/* pcf_show_tls - show TLS support */
+
+void pcf_show_tls(const char *what)
+{
+#ifdef USE_TLS
+ if (strcmp(what, "compile-version") == 0)
+ vstream_printf("%s\n", tls_compile_version());
+ else if (strcmp(what, "run-version") == 0)
+ vstream_printf("%s\n", tls_run_version());
+ else if (strcmp(what, "public-key-algorithms") == 0) {
+ const char **cpp;
+
+ for (cpp = tls_pkey_algorithms(); *cpp; cpp++)
+ vstream_printf("%s\n", *cpp);
+ } else {
+ msg_warn("unknown 'postconf -T' mode: %s", what);
+ exit(1);
+ }
+#endif /* USE_TLS */
+}
/* This feature is available in Postfix 2.1 and later. With
/* Postfix 2.0 and earlier, use "\fB$config_directory/post-install
/* set-permissions\fR".
+/* .IP "\fBtls\fR \fIsubcommand\fB ...\fR
+/* Enable opportunistic TLS in the Postfix SMTP client or
+/* server, and manage Postfix SMTP server TLS private keys and
+/* certificates. See postfix-tls(1) for documentation.
+/* .sp
+/* This feature is available in Postfix 3.1 and later.
/* .IP "\fBupgrade-configuration\fR [\fIname\fR=\fIvalue ...\fR]
/* Update the \fBmain.cf\fR and \fBmaster.cf\fR files with information
/* that Postfix needs in order to run: add or update services, and add
/* plugins (postfix-*.so) that have a relative pathname in the
/* dynamicmaps.cf file.
/* .PP
+/* Available in Postfix version 3.1 and later:
+/* .IP "\fBopenssl_path (openssl)\fR"
+/* The location of the OpenSSL command line program \fBopenssl\fR(1).
+/* .PP
/* Other configuration parameters:
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
/* The list of environment parameters that a Postfix process will
/* postcat(1), examine Postfix queue file
/* postconf(1), Postfix configuration utility
/* postfix(1), Postfix control program
+/* postfix-tls(1), Postfix TLS management
/* postkick(1), trigger Postfix daemon
/* postlock(1), Postfix-compatible locking
/* postlog(1), Postfix-compatible logging
*/
extern void tls_session_stop(TLS_APPL_STATE *, VSTREAM *, int, int, TLS_SESS_STATE *);
+ /*
+ * tls_misc.c
+ */
+extern const char *tls_compile_version(void);
+extern const char *tls_run_version(void);
+extern const char **tls_pkey_algorithms(void);
+
#ifdef TLS_INTERNAL
#include <vstring.h>
/* bool var_tls_multi_wildcard;
/* char *var_tls_mgr_service;
/* char *var_tls_tkt_cipher;
+/* char *var_openssl_path;
/*
/* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask)
/* SSL_CTX *ssl_ctx;
/*
/* void tls_update_app_logmask(app_ctx, log_mask)
/* TLS_APPL_STATE *app_ctx;
-/* int log_mask;
+/* int log_mask;
/*
/* int tls_validate_digest(dgst)
/* const char *dgst;
+/*
+/* const char *tls_compile_version(void)
+/*
+/* const char *tls_run_version(void)
+/*
+/* const char **tls_pkey_algorithms(void)
/* DESCRIPTION
/* This module implements routines that support the TLS client
/* and server internals.
/*
/* tls_validate_digest() returns non-zero if the named digest
/* is usable and zero otherwise.
+/*
+/* tls_compile_version() returns a text string description of
+/* the compile-time TLS library.
+/*
+/* tls_run_version() is just tls_compile_version() but with the runtime
+/* version instead of the compile-time version.
+/*
+/* tls_pkey_algorithms() returns a pointer to null-terminated
+/* array of string constants with the names of the supported
+/* public-key algorithms.
/* LICENSE
/* .ad
/* .fi
/*
/* Victor Duchovni
/* Morgan Stanley
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
bool var_tls_multi_wildcard;
char *var_tls_mgr_service;
char *var_tls_tkt_cipher;
+char *var_openssl_path;
#ifdef VAR_TLS_PREEMPT_CLIST
bool var_tls_preempt_clist;
VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0,
VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0,
VAR_TLS_TKT_CIPHER, DEF_TLS_TKT_CIPHER, &var_tls_tkt_cipher, 0, 0,
+ VAR_OPENSSL_PATH, DEF_OPENSSL_PATH, &var_openssl_path, 1, 0,
0,
};
static const CONFIG_INT_TABLE int_table[] = {
/* tls_version_split - Split OpenSSL version number into major, minor, ... */
-static void tls_version_split(long version, TLS_VINFO *info)
+static void tls_version_split(unsigned long version, TLS_VINFO *info)
{
/*
hdr_info.major, hdr_info.minor, hdr_info.micro);
}
+/* tls_compile_version - compile-time OpenSSL version */
+
+const char *tls_compile_version(void)
+{
+ return (OPENSSL_VERSION_TEXT);
+}
+
+/* tls_run_version - run-time version "major.minor.micro" */
+
+const char *tls_run_version(void)
+{
+ return (OpenSSL_version(OPENSSL_VERSION));
+}
+
+const char **tls_pkey_algorithms(void)
+{
+
+ /*
+ * Return an array, not string, so that the result can be inspected
+ * without parsing. Sort the result alphabetically, not chronologically.
+ */
+ static const char *algs[] = {
+#ifndef OPENSSL_NO_DSA
+ "dsa",
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_ECDSA)
+ "ecdsa",
+#endif
+#ifndef OPENSSL_NO_RSA
+ "rsa",
+#endif
+ 0,
+ };
+
+ return (algs);
+}
+
/* tls_bug_bits - SSL bug compatibility bits for this OpenSSL version */
long tls_bug_bits(void)
projects / thirdparty / postfix.git / commitdiff
