diff --git a/postfix/HISTORY b/postfix/HISTORY
index 94555dc73..c8b1f7853 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -28914,22 +28914,75 @@ Apologies for any names omitted.
bounce/bounce_one_service.c, bounce/bounce_trace_service.c,
bounce/bounce_verp_service.c, bounce/bounce_warn_service.c.
+ Completed: new Postfix sendmail command option "-O requiretls"
+ to request that deliveries over SMTP use the REQUIRETLS
+ extension. The option value "requiretls" is case-insensitive.
+ Files: sendmail/sendmail.c, global/rec_types.h.
+
+ Cleanup: new Postfix sendmail command option "-O smtputf8"
+ to request that deliveries over SMTP use the SMTPUTF8
+ extension. This reuses logic that was introduced for
+ REQUIRETLS. The option value "smtputf8" is case-insensitive.
+ Files: sendmail/sendmail.c.
+
+ Cleanup: when message delivery requires that a remote SMTP
+ server supports SMTPUTF8, try multiple MX servers before
+ returning a message as undeliverable. This reuses logic
+ that was introduced for REQUIRETLS. File: smtp/smtp_proto.c.
+
TODO:
- The RFC says that REQUIRETLS applies to LMTP. Dovecot supports
- TLS, but how common is it for Postfix to verify a Dovecot
- server certificate? Should we add a 'cheat' setting that does
- not enforce REQUIRETLS?
+ What REQUIRETLS expectations can we enforce when delivering
+ over a UNIX-domain channel? The SMTP/LMTP client currently
+ implements the same behavior as for TCP, except that
+ opportunistic TLS is converted into 'none'.
- If a message contains "TLS-Required: no", should a bounce message
- also contain this header?
+ Document how REQUIRETLS works (or does not) with external
+ content filters.
- If the Postfix SMTP server accepted REQUIRETLS, should that stay
- in effect if, before the message is forwarded, the configuration
- is changed to "requiretls_enable = no"? Same for "postsuper -r".
+ - REQUIRETLS will work with Milter-based content filters.
- Ditto for "tls_required_enable = no" and "TLS-Required: no".
+ - REQUIRETLS will work with smtpd_proxy_filter as long as
+ the filter passes the entire Postfix SMTP client's MAIL
+ FROM command line through the filter to the Postfix SMTP
+ server after the proxy filter. The Postfix proxy filter
+ client does not need to see REQUIRETLS (or SMTPUTF8)
+ announcements in the filter's EHLO response.
- Simplify the cleanup_envelope_test. Write the initial SIZE record
- to /dev/null, don't call cleanup_final(), and verify the value
- of state->sendopts.
+ - REQUIRETLS will work with an SMTP-based after-queue content
+ filters as long as the filter announces REQUIRETLS in the
+ EHLO response (this could be 'always', or copied from the
+ after-filter Postfix SMTP server's EHLO response), and
+ as long as the filter passes the entire MAIL FROM command
+ from the before-filter Postfix SMTP client to the
+ after-filter Postfix SMTP server. Apart from that, the
+ content filter does not need to 'know' that REQUIRETLS
+ exists.
+
+ - There currently is no sendmail(1) command-line option to
+ request REQUIRETLS, and no pipe(8) option to propagate
+ REQUIRETLS. We could invent a custom long option,
+ such as '-O RequireTLS' and some way to emit that with
+ pipe(8). Absent such a command-line option we could use
+ an environment variable but that will have to be supported
+ long-term.
+
+ The RFC says that REQUIRETLS applies to LMTP. Dovecot
+ supports TLS, but how common is it for Postfix to verify a
+ Dovecot server certificate? Should we add a 'cheat' setting
+ that does not enforce REQUIRETLS?
+
+ If a message contains "TLS-Required: no", should a bounce
+ message also contain this header?
+
+ If the Postfix SMTP server accepted REQUIRETLS, should that
+ stay in effect if, before the message is forwarded, the
+ configuration is changed to "requiretls_enable = no"? Same
+ for "postsuper -r".
+
+ Ditto for "tls_required_enable = no" and "TLS-Required:
+ no".
+
+ Simplify the cleanup_envelope_test. Write the initial SIZE
+ record to /dev/null, don't call cleanup_final(), and verify
+ the value of state->sendopts.
diff --git a/postfix/html/mailq.1.html b/postfix/html/mailq.1.html
index 4645b733a..a494b5bfe 100644
--- a/postfix/html/mailq.1.html
+++ b/postfix/html/mailq.1.html
@@ -174,54 +174,75 @@ SENDMAIL(1) SENDMAIL(1)
This feature is available in Postfix 2.3 and later.
+ -O requiretls
+ When delivering the message with SMTP, the connection must use
+ TLS with a verified server certificate, and the remote SMTP
+ server must support REQUIRETLS. Try multiple SMTP servers if
+ possible, and return the message as undeliverable when these
+ requirements were not satisfied with any of the remote SMTP
+ servers that were tried. The "requiretls" option value is
+ case-insensitive.
+
+ This feature is available in Postfix 3.10 and later.
+
+ -O smtputf8
+ When delivering the message with SMTP, the connection must use
+ the SMTPUTF8 extension. Try multiple SMTP servers if possible,
+ and return the message as undeliverable when a message contains
+ an UTF8 envelope address or message header, but SMTPUTF8 was not
+ supported by any of the remote SMTP servers that were tried. The
+ "smtputf8" option value is case-insensitive.
+
+ This feature is available in Postfix 3.10 and later.
+
-n (ignored)
Backwards compatibility.
-oAalias_database
- Non-default alias database. Specify pathname or type:pathname.
+ Non-default alias database. Specify pathname or type:pathname.
See postalias(1) for details.
-O option=value (ignored)
- Set the named option to value. Use the equivalent configuration
+ Set the named option to value. Use the equivalent configuration
parameter in main.cf instead.
-o7 (ignored)
-o8 (ignored)
- To send 8-bit or binary content, use an appropriate MIME encap-
+ To send 8-bit or binary content, use an appropriate MIME encap-
sulation and specify the appropriate -B command-line option.
- -oi When reading a message from standard input, don't treat a line
+ -oi When reading a message from standard input, don't treat a line
with only a . character as the end of input.
-om (ignored)
The sender is never eliminated from alias etc. expansions.
-o x value (ignored)
- Set option x to value. Use the equivalent configuration parame-
+ Set option x to value. Use the equivalent configuration parame-
ter in main.cf instead.
-r sender
- Set the envelope sender address. This is the address where
+ Set the envelope sender address. This is the address where
delivery problems are sent to. With Postfix versions before 2.1,
- the Errors-To: message header overrides the error return
+ the Errors-To: message header overrides the error return
address.
-R return
- Delivery status notification control. Specify "hdrs" to return
- only the header when a message bounces, "full" to return a full
+ Delivery status notification control. Specify "hdrs" to return
+ only the header when a message bounces, "full" to return a full
copy (the default behavior).
The -R option specifies an upper bound; Postfix will return only
- the header, when a full copy would exceed the bounce_size_limit
+ the header, when a full copy would exceed the bounce_size_limit
setting.
This option is ignored before Postfix version 2.10.
- -q Attempt to deliver all queued mail. This is implemented by exe-
+ -q Attempt to deliver all queued mail. This is implemented by exe-
cuting the postqueue(1) command.
- Warning: flushing undeliverable mail frequently will result in
+ Warning: flushing undeliverable mail frequently will result in
poor delivery performance of all other mail.
-qinterval (ignored)
@@ -230,21 +251,21 @@ SENDMAIL(1) SENDMAIL(1)
-qIqueueid
Schedule immediate delivery of mail with the specified queue ID.
- This option is implemented by executing the postqueue(1) com-
+ This option is implemented by executing the postqueue(1) com-
mand, and is available with Postfix version 2.4 and later.
-qRsite
- Schedule immediate delivery of all mail that is queued for the
- named site. This option accepts only site names that are eligi-
- ble for the "fast flush" service, and is implemented by execut-
+ Schedule immediate delivery of all mail that is queued for the
+ named site. This option accepts only site names that are eligi-
+ ble for the "fast flush" service, and is implemented by execut-
ing the postqueue(1) command. See flush(8) for more information
about the "fast flush" service.
-qSsite
- This command is not implemented. Use the slower "sendmail -q"
+ This command is not implemented. Use the slower "sendmail -q"
command instead.
- -t Extract recipients from message headers. These are added to any
+ -t Extract recipients from message headers. These are added to any
recipients specified on the command line.
With Postfix versions prior to 2.1, this option requires that no
@@ -260,23 +281,23 @@ SENDMAIL(1) SENDMAIL(1)
This feature is available in Postfix 2.3 and later.
-XV (Postfix 2.2 and earlier: -V)
- Variable Envelope Return Path. Given an envelope sender address
- of the form owner-listname@origin, each recipient user@domain
+ Variable Envelope Return Path. Given an envelope sender address
+ of the form owner-listname@origin, each recipient user@domain
receives mail with a personalized envelope sender address.
- By default, the personalized envelope sender address is
- owner-listname+user=domain@origin. The default + and = charac-
- ters are configurable with the default_verp_delimiters configu-
+ By default, the personalized envelope sender address is
+ owner-listname+user=domain@origin. The default + and = charac-
+ ters are configurable with the default_verp_delimiters configu-
ration parameter.
-XVxy (Postfix 2.2 and earlier: -Vxy)
- As -XV, but uses x and y as the VERP delimiter characters,
+ As -XV, but uses x and y as the VERP delimiter characters,
instead of the characters specified with the default_verp_delim-
iters configuration parameter.
-v Send an email report of the first delivery attempt (Postfix ver-
- sions 2.1 and later). Mail delivery always happens in the back-
- ground. When multiple -v options are given, enable verbose log-
+ sions 2.1 and later). Mail delivery always happens in the back-
+ ground. When multiple -v options are given, enable verbose log-
ging for debugging purposes.
-X log_file (ignored)
@@ -284,42 +305,42 @@ SENDMAIL(1) SENDMAIL(1)
configuration parameters instead.
SECURITY
- By design, this program is not set-user (or group) id. It is prepared
+ By design, this program is not set-user (or group) id. It is prepared
to handle message content from untrusted, possibly remote, users.
- However, like most Postfix programs, this program does not enforce a
- security policy on its command-line arguments. Instead, it relies on
- the UNIX system to enforce access policies based on the effective user
+ However, like most Postfix programs, this program does not enforce a
+ security policy on its command-line arguments. Instead, it relies on
+ the UNIX system to enforce access policies based on the effective user
and group IDs of the process. Concretely, this means that running Post-
- fix commands as root (from sudo or equivalent) on behalf of a non-root
+ fix commands as root (from sudo or equivalent) on behalf of a non-root
user is likely to create privilege escalation opportunities.
- If an application runs any Postfix programs on behalf of users that do
+ If an application runs any Postfix programs on behalf of users that do
not have normal shell access to Postfix commands, then that application
- MUST restrict user-specified command-line arguments to avoid privilege
+ MUST restrict user-specified command-line arguments to avoid privilege
escalation.
- o Filter all command-line arguments, for example arguments that
- contain a pathname or that specify a database access method.
- These pathname checks must reject user-controlled symlinks or
+ o Filter all command-line arguments, for example arguments that
+ contain a pathname or that specify a database access method.
+ These pathname checks must reject user-controlled symlinks or
hardlinks to sensitive files, and must not be vulnerable to TOC-
TOU race attacks.
- o Disable command options processing for all command arguments
+ o Disable command options processing for all command arguments
that contain user-specified data. For example, the Postfix send-
mail(1) command line MUST be structured as follows:
/path/to/sendmail system-arguments -- user-arguments
- Here, the "--" disables command option processing for all
+ Here, the "--" disables command option processing for all
user-arguments that follow.
- Without the "--", a malicious user could enable Postfix send-
- mail(1) command options, by specifying an email address that
+ Without the "--", a malicious user could enable Postfix send-
+ mail(1) command options, by specifying an email address that
starts with "-".
DIAGNOSTICS
- Problems are logged to syslogd(8) or postlogd(8), and to the standard
+ Problems are logged to syslogd(8) or postlogd(8), and to the standard
error stream.
ENVIRONMENT
@@ -333,12 +354,12 @@ SENDMAIL(1) SENDMAIL(1)
Enable debugging with an external command, as specified with the
debugger_command configuration parameter.
- NAME The sender full name. This is used only with messages that have
+ NAME The sender full name. This is used only with messages that have
no From: message header. See also the -F option above.
CONFIGURATION PARAMETERS
- The following main.cf parameters are especially relevant to this pro-
- gram. The text below provides only a parameter summary. See post-
+ The following main.cf parameters are especially relevant to this pro-
+ gram. The text below provides only a parameter summary. See post-
conf(5) for more details including examples.
COMPATIBILITY CONTROLS
@@ -349,7 +370,7 @@ SENDMAIL(1) SENDMAIL(1)
line endings from <CR><LF> into UNIX format (<LF>).
TROUBLE SHOOTING CONTROLS
- The DEBUG_README file gives examples of how to troubleshoot a Postfix
+ The DEBUG_README file gives examples of how to troubleshoot a Postfix
system.
debugger_command (empty)
@@ -357,14 +378,14 @@ SENDMAIL(1) SENDMAIL(1)
invoked with the -D option.
debug_peer_level (2)
- The increment in verbose logging level when a nexthop destina-
- tion, remote client or server name or network address matches a
+ The increment in verbose logging level when a nexthop destina-
+ tion, remote client or server name or network address matches a
pattern given with the debug_peer_list parameter.
debug_peer_list (empty)
- Optional list of nexthop destination, remote client or server
- name or network address patterns that, if matched, cause the
- verbose logging level to increase by the amount specified in
+ Optional list of nexthop destination, remote client or server
+ name or network address patterns that, if matched, cause the
+ verbose logging level to increase by the amount specified in
$debug_peer_level.
ACCESS CONTROLS
@@ -377,13 +398,13 @@ SENDMAIL(1) SENDMAIL(1)
List of users who are authorized to view the queue.
authorized_submit_users (static:anyone)
- List of users who are authorized to submit mail with the send-
+ List of users who are authorized to submit mail with the send-
mail(1) command (and with the privileged postdrop(1) helper com-
mand).
RESOURCE AND RATE CONTROLS
bounce_size_limit (50000)
- The maximal amount of original message text that is sent in a
+ The maximal amount of original message text that is sent in a
non-delivery notification.
fork_attempts (5)
@@ -397,11 +418,11 @@ SENDMAIL(1) SENDMAIL(1)
in the primary message headers.
queue_run_delay (300s)
- The time between deferred queue scans by the queue manager;
+ The time between deferred queue scans by the queue manager;
prior to Postfix 2.4 the default value was 1000s.
FAST FLUSH CONTROLS
- The ETRN_README file describes configuration and operation details for
+ The ETRN_README file describes configuration and operation details for
the Postfix "fast flush" service.
fast_flush_domains ($relay_domains)
@@ -409,26 +430,26 @@ SENDMAIL(1) SENDMAIL(1)
tion logfiles with mail that is queued to those destinations.
VERP CONTROLS
- The VERP_README file describes configuration and operation details of
+ The VERP_README file describes configuration and operation details of
Postfix support for variable envelope return path addresses.
default_verp_delimiters (+=)
The two default VERP delimiter characters.
verp_delimiter_filter (-=+)
- The characters Postfix accepts as VERP delimiter characters on
+ The characters Postfix accepts as VERP delimiter characters on
the Postfix sendmail(1) command line and in SMTP commands.
MISCELLANEOUS CONTROLS
alias_database (see 'postconf -d' output)
- The alias databases for local(8) delivery that are updated with
+ The alias databases for local(8) delivery that are updated with
"newaliases" or with "sendmail -bi".
command_directory (see 'postconf -d' output)
The location of all postfix administrative commands.
config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and master.cf con-
+ The default location of the Postfix main.cf and master.cf con-
figuration files.
daemon_directory (see 'postconf -d' output)
@@ -439,25 +460,25 @@ SENDMAIL(1) SENDMAIL(1)
and postmap(1) commands.
delay_warning_time (0h)
- The time after which the sender receives a copy of the message
+ The time after which the sender receives a copy of the message
headers of mail that is still queued.
import_environment (see 'postconf -d' output)
- The list of environment variables that a privileged Postfix
- process will import from a non-Postfix parent process, or
+ The list of environment variables that a privileged Postfix
+ process will import from a non-Postfix parent process, or
name=value environment overrides.
mail_owner (postfix)
- The UNIX system account that owns the Postfix queue and most
+ The UNIX system account that owns the Postfix queue and most
Postfix daemon processes.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
remote_header_rewrite_domain (empty)
- Rewrite or add message headers in mail from remote clients if
- the remote_header_rewrite_domain parameter value is non-empty,
- updating incomplete addresses with the domain specified in the
+ Rewrite or add message headers in mail from remote clients if
+ the remote_header_rewrite_domain parameter value is non-empty,
+ updating incomplete addresses with the domain specified in the
remote_header_rewrite_domain parameter, and adding missing head-
ers.
@@ -465,24 +486,30 @@ SENDMAIL(1) SENDMAIL(1)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Postfix 3.2 and later:
alternate_config_directories (empty)
A list of non-default Postfix configuration directories that may
- be specified with "-c config_directory" on the command line (in
- the case of sendmail(1), with the "-C" option), or via the
+ be specified with "-c config_directory" on the command line (in
+ the case of sendmail(1), with the "-C" option), or via the
MAIL_CONFIG environment parameter.
multi_instance_directories (empty)
- An optional list of non-default Postfix configuration directo-
- ries; these directories belong to additional Postfix instances
- that share the Postfix executable files and documentation with
- the default Postfix instance, and that are started, stopped,
+ An optional list of non-default Postfix configuration directo-
+ ries; these directories belong to additional Postfix instances
+ that share the Postfix executable files and documentation with
+ the default Postfix instance, and that are started, stopped,
etc., together with the default Postfix instance.
+ Postfix 3.10 and later:
+
+ requiretls_enable (yes)
+ Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
+ 8689.
+
FILES
/var/spool/postfix, mail queue
/etc/postfix, configuration files
diff --git a/postfix/html/newaliases.1.html b/postfix/html/newaliases.1.html
index 4645b733a..a494b5bfe 100644
--- a/postfix/html/newaliases.1.html
+++ b/postfix/html/newaliases.1.html
@@ -174,54 +174,75 @@ SENDMAIL(1) SENDMAIL(1)
This feature is available in Postfix 2.3 and later.
+ -O requiretls
+ When delivering the message with SMTP, the connection must use
+ TLS with a verified server certificate, and the remote SMTP
+ server must support REQUIRETLS. Try multiple SMTP servers if
+ possible, and return the message as undeliverable when these
+ requirements were not satisfied with any of the remote SMTP
+ servers that were tried. The "requiretls" option value is
+ case-insensitive.
+
+ This feature is available in Postfix 3.10 and later.
+
+ -O smtputf8
+ When delivering the message with SMTP, the connection must use
+ the SMTPUTF8 extension. Try multiple SMTP servers if possible,
+ and return the message as undeliverable when a message contains
+ an UTF8 envelope address or message header, but SMTPUTF8 was not
+ supported by any of the remote SMTP servers that were tried. The
+ "smtputf8" option value is case-insensitive.
+
+ This feature is available in Postfix 3.10 and later.
+
-n (ignored)
Backwards compatibility.
-oAalias_database
- Non-default alias database. Specify pathname or type:pathname.
+ Non-default alias database. Specify pathname or type:pathname.
See postalias(1) for details.
-O option=value (ignored)
- Set the named option to value. Use the equivalent configuration
+ Set the named option to value. Use the equivalent configuration
parameter in main.cf instead.
-o7 (ignored)
-o8 (ignored)
- To send 8-bit or binary content, use an appropriate MIME encap-
+ To send 8-bit or binary content, use an appropriate MIME encap-
sulation and specify the appropriate -B command-line option.
- -oi When reading a message from standard input, don't treat a line
+ -oi When reading a message from standard input, don't treat a line
with only a . character as the end of input.
-om (ignored)
The sender is never eliminated from alias etc. expansions.
-o x value (ignored)
- Set option x to value. Use the equivalent configuration parame-
+ Set option x to value. Use the equivalent configuration parame-
ter in main.cf instead.
-r sender
- Set the envelope sender address. This is the address where
+ Set the envelope sender address. This is the address where
delivery problems are sent to. With Postfix versions before 2.1,
- the Errors-To: message header overrides the error return
+ the Errors-To: message header overrides the error return
address.
-R return
- Delivery status notification control. Specify "hdrs" to return
- only the header when a message bounces, "full" to return a full
+ Delivery status notification control. Specify "hdrs" to return
+ only the header when a message bounces, "full" to return a full
copy (the default behavior).
The -R option specifies an upper bound; Postfix will return only
- the header, when a full copy would exceed the bounce_size_limit
+ the header, when a full copy would exceed the bounce_size_limit
setting.
This option is ignored before Postfix version 2.10.
- -q Attempt to deliver all queued mail. This is implemented by exe-
+ -q Attempt to deliver all queued mail. This is implemented by exe-
cuting the postqueue(1) command.
- Warning: flushing undeliverable mail frequently will result in
+ Warning: flushing undeliverable mail frequently will result in
poor delivery performance of all other mail.
-qinterval (ignored)
@@ -230,21 +251,21 @@ SENDMAIL(1) SENDMAIL(1)
-qIqueueid
Schedule immediate delivery of mail with the specified queue ID.
- This option is implemented by executing the postqueue(1) com-
+ This option is implemented by executing the postqueue(1) com-
mand, and is available with Postfix version 2.4 and later.
-qRsite
- Schedule immediate delivery of all mail that is queued for the
- named site. This option accepts only site names that are eligi-
- ble for the "fast flush" service, and is implemented by execut-
+ Schedule immediate delivery of all mail that is queued for the
+ named site. This option accepts only site names that are eligi-
+ ble for the "fast flush" service, and is implemented by execut-
ing the postqueue(1) command. See flush(8) for more information
about the "fast flush" service.
-qSsite
- This command is not implemented. Use the slower "sendmail -q"
+ This command is not implemented. Use the slower "sendmail -q"
command instead.
- -t Extract recipients from message headers. These are added to any
+ -t Extract recipients from message headers. These are added to any
recipients specified on the command line.
With Postfix versions prior to 2.1, this option requires that no
@@ -260,23 +281,23 @@ SENDMAIL(1) SENDMAIL(1)
This feature is available in Postfix 2.3 and later.
-XV (Postfix 2.2 and earlier: -V)
- Variable Envelope Return Path. Given an envelope sender address
- of the form owner-listname@origin, each recipient user@domain
+ Variable Envelope Return Path. Given an envelope sender address
+ of the form owner-listname@origin, each recipient user@domain
receives mail with a personalized envelope sender address.
- By default, the personalized envelope sender address is
- owner-listname+user=domain@origin. The default + and = charac-
- ters are configurable with the default_verp_delimiters configu-
+ By default, the personalized envelope sender address is
+ owner-listname+user=domain@origin. The default + and = charac-
+ ters are configurable with the default_verp_delimiters configu-
ration parameter.
-XVxy (Postfix 2.2 and earlier: -Vxy)
- As -XV, but uses x and y as the VERP delimiter characters,
+ As -XV, but uses x and y as the VERP delimiter characters,
instead of the characters specified with the default_verp_delim-
iters configuration parameter.
-v Send an email report of the first delivery attempt (Postfix ver-
- sions 2.1 and later). Mail delivery always happens in the back-
- ground. When multiple -v options are given, enable verbose log-
+ sions 2.1 and later). Mail delivery always happens in the back-
+ ground. When multiple -v options are given, enable verbose log-
ging for debugging purposes.
-X log_file (ignored)
@@ -284,42 +305,42 @@ SENDMAIL(1) SENDMAIL(1)
configuration parameters instead.
SECURITY
- By design, this program is not set-user (or group) id. It is prepared
+ By design, this program is not set-user (or group) id. It is prepared
to handle message content from untrusted, possibly remote, users.
- However, like most Postfix programs, this program does not enforce a
- security policy on its command-line arguments. Instead, it relies on
- the UNIX system to enforce access policies based on the effective user
+ However, like most Postfix programs, this program does not enforce a
+ security policy on its command-line arguments. Instead, it relies on
+ the UNIX system to enforce access policies based on the effective user
and group IDs of the process. Concretely, this means that running Post-
- fix commands as root (from sudo or equivalent) on behalf of a non-root
+ fix commands as root (from sudo or equivalent) on behalf of a non-root
user is likely to create privilege escalation opportunities.
- If an application runs any Postfix programs on behalf of users that do
+ If an application runs any Postfix programs on behalf of users that do
not have normal shell access to Postfix commands, then that application
- MUST restrict user-specified command-line arguments to avoid privilege
+ MUST restrict user-specified command-line arguments to avoid privilege
escalation.
- o Filter all command-line arguments, for example arguments that
- contain a pathname or that specify a database access method.
- These pathname checks must reject user-controlled symlinks or
+ o Filter all command-line arguments, for example arguments that
+ contain a pathname or that specify a database access method.
+ These pathname checks must reject user-controlled symlinks or
hardlinks to sensitive files, and must not be vulnerable to TOC-
TOU race attacks.
- o Disable command options processing for all command arguments
+ o Disable command options processing for all command arguments
that contain user-specified data. For example, the Postfix send-
mail(1) command line MUST be structured as follows:
/path/to/sendmail system-arguments -- user-arguments
- Here, the "--" disables command option processing for all
+ Here, the "--" disables command option processing for all
user-arguments that follow.
- Without the "--", a malicious user could enable Postfix send-
- mail(1) command options, by specifying an email address that
+ Without the "--", a malicious user could enable Postfix send-
+ mail(1) command options, by specifying an email address that
starts with "-".
DIAGNOSTICS
- Problems are logged to syslogd(8) or postlogd(8), and to the standard
+ Problems are logged to syslogd(8) or postlogd(8), and to the standard
error stream.
ENVIRONMENT
@@ -333,12 +354,12 @@ SENDMAIL(1) SENDMAIL(1)
Enable debugging with an external command, as specified with the
debugger_command configuration parameter.
- NAME The sender full name. This is used only with messages that have
+ NAME The sender full name. This is used only with messages that have
no From: message header. See also the -F option above.
CONFIGURATION PARAMETERS
- The following main.cf parameters are especially relevant to this pro-
- gram. The text below provides only a parameter summary. See post-
+ The following main.cf parameters are especially relevant to this pro-
+ gram. The text below provides only a parameter summary. See post-
conf(5) for more details including examples.
COMPATIBILITY CONTROLS
@@ -349,7 +370,7 @@ SENDMAIL(1) SENDMAIL(1)
line endings from <CR><LF> into UNIX format (<LF>).
TROUBLE SHOOTING CONTROLS
- The DEBUG_README file gives examples of how to troubleshoot a Postfix
+ The DEBUG_README file gives examples of how to troubleshoot a Postfix
system.
debugger_command (empty)
@@ -357,14 +378,14 @@ SENDMAIL(1) SENDMAIL(1)
invoked with the -D option.
debug_peer_level (2)
- The increment in verbose logging level when a nexthop destina-
- tion, remote client or server name or network address matches a
+ The increment in verbose logging level when a nexthop destina-
+ tion, remote client or server name or network address matches a
pattern given with the debug_peer_list parameter.
debug_peer_list (empty)
- Optional list of nexthop destination, remote client or server
- name or network address patterns that, if matched, cause the
- verbose logging level to increase by the amount specified in
+ Optional list of nexthop destination, remote client or server
+ name or network address patterns that, if matched, cause the
+ verbose logging level to increase by the amount specified in
$debug_peer_level.
ACCESS CONTROLS
@@ -377,13 +398,13 @@ SENDMAIL(1) SENDMAIL(1)
List of users who are authorized to view the queue.
authorized_submit_users (static:anyone)
- List of users who are authorized to submit mail with the send-
+ List of users who are authorized to submit mail with the send-
mail(1) command (and with the privileged postdrop(1) helper com-
mand).
RESOURCE AND RATE CONTROLS
bounce_size_limit (50000)
- The maximal amount of original message text that is sent in a
+ The maximal amount of original message text that is sent in a
non-delivery notification.
fork_attempts (5)
@@ -397,11 +418,11 @@ SENDMAIL(1) SENDMAIL(1)
in the primary message headers.
queue_run_delay (300s)
- The time between deferred queue scans by the queue manager;
+ The time between deferred queue scans by the queue manager;
prior to Postfix 2.4 the default value was 1000s.
FAST FLUSH CONTROLS
- The ETRN_README file describes configuration and operation details for
+ The ETRN_README file describes configuration and operation details for
the Postfix "fast flush" service.
fast_flush_domains ($relay_domains)
@@ -409,26 +430,26 @@ SENDMAIL(1) SENDMAIL(1)
tion logfiles with mail that is queued to those destinations.
VERP CONTROLS
- The VERP_README file describes configuration and operation details of
+ The VERP_README file describes configuration and operation details of
Postfix support for variable envelope return path addresses.
default_verp_delimiters (+=)
The two default VERP delimiter characters.
verp_delimiter_filter (-=+)
- The characters Postfix accepts as VERP delimiter characters on
+ The characters Postfix accepts as VERP delimiter characters on
the Postfix sendmail(1) command line and in SMTP commands.
MISCELLANEOUS CONTROLS
alias_database (see 'postconf -d' output)
- The alias databases for local(8) delivery that are updated with
+ The alias databases for local(8) delivery that are updated with
"newaliases" or with "sendmail -bi".
command_directory (see 'postconf -d' output)
The location of all postfix administrative commands.
config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and master.cf con-
+ The default location of the Postfix main.cf and master.cf con-
figuration files.
daemon_directory (see 'postconf -d' output)
@@ -439,25 +460,25 @@ SENDMAIL(1) SENDMAIL(1)
and postmap(1) commands.
delay_warning_time (0h)
- The time after which the sender receives a copy of the message
+ The time after which the sender receives a copy of the message
headers of mail that is still queued.
import_environment (see 'postconf -d' output)
- The list of environment variables that a privileged Postfix
- process will import from a non-Postfix parent process, or
+ The list of environment variables that a privileged Postfix
+ process will import from a non-Postfix parent process, or
name=value environment overrides.
mail_owner (postfix)
- The UNIX system account that owns the Postfix queue and most
+ The UNIX system account that owns the Postfix queue and most
Postfix daemon processes.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
remote_header_rewrite_domain (empty)
- Rewrite or add message headers in mail from remote clients if
- the remote_header_rewrite_domain parameter value is non-empty,
- updating incomplete addresses with the domain specified in the
+ Rewrite or add message headers in mail from remote clients if
+ the remote_header_rewrite_domain parameter value is non-empty,
+ updating incomplete addresses with the domain specified in the
remote_header_rewrite_domain parameter, and adding missing head-
ers.
@@ -465,24 +486,30 @@ SENDMAIL(1) SENDMAIL(1)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Postfix 3.2 and later:
alternate_config_directories (empty)
A list of non-default Postfix configuration directories that may
- be specified with "-c config_directory" on the command line (in
- the case of sendmail(1), with the "-C" option), or via the
+ be specified with "-c config_directory" on the command line (in
+ the case of sendmail(1), with the "-C" option), or via the
MAIL_CONFIG environment parameter.
multi_instance_directories (empty)
- An optional list of non-default Postfix configuration directo-
- ries; these directories belong to additional Postfix instances
- that share the Postfix executable files and documentation with
- the default Postfix instance, and that are started, stopped,
+ An optional list of non-default Postfix configuration directo-
+ ries; these directories belong to additional Postfix instances
+ that share the Postfix executable files and documentation with
+ the default Postfix instance, and that are started, stopped,
etc., together with the default Postfix instance.
+ Postfix 3.10 and later:
+
+ requiretls_enable (yes)
+ Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
+ 8689.
+
FILES
/var/spool/postfix, mail queue
/etc/postfix, configuration files
diff --git a/postfix/html/sendmail.1.html b/postfix/html/sendmail.1.html
index 4645b733a..a494b5bfe 100644
--- a/postfix/html/sendmail.1.html
+++ b/postfix/html/sendmail.1.html
@@ -174,54 +174,75 @@ SENDMAIL(1) SENDMAIL(1)
This feature is available in Postfix 2.3 and later.
+ -O requiretls
+ When delivering the message with SMTP, the connection must use
+ TLS with a verified server certificate, and the remote SMTP
+ server must support REQUIRETLS. Try multiple SMTP servers if
+ possible, and return the message as undeliverable when these
+ requirements were not satisfied with any of the remote SMTP
+ servers that were tried. The "requiretls" option value is
+ case-insensitive.
+
+ This feature is available in Postfix 3.10 and later.
+
+ -O smtputf8
+ When delivering the message with SMTP, the connection must use
+ the SMTPUTF8 extension. Try multiple SMTP servers if possible,
+ and return the message as undeliverable when a message contains
+ an UTF8 envelope address or message header, but SMTPUTF8 was not
+ supported by any of the remote SMTP servers that were tried. The
+ "smtputf8" option value is case-insensitive.
+
+ This feature is available in Postfix 3.10 and later.
+
-n (ignored)
Backwards compatibility.
-oAalias_database
- Non-default alias database. Specify pathname or type:pathname.
+ Non-default alias database. Specify pathname or type:pathname.
See postalias(1) for details.
-O option=value (ignored)
- Set the named option to value. Use the equivalent configuration
+ Set the named option to value. Use the equivalent configuration
parameter in main.cf instead.
-o7 (ignored)
-o8 (ignored)
- To send 8-bit or binary content, use an appropriate MIME encap-
+ To send 8-bit or binary content, use an appropriate MIME encap-
sulation and specify the appropriate -B command-line option.
- -oi When reading a message from standard input, don't treat a line
+ -oi When reading a message from standard input, don't treat a line
with only a . character as the end of input.
-om (ignored)
The sender is never eliminated from alias etc. expansions.
-o x value (ignored)
- Set option x to value. Use the equivalent configuration parame-
+ Set option x to value. Use the equivalent configuration parame-
ter in main.cf instead.
-r sender
- Set the envelope sender address. This is the address where
+ Set the envelope sender address. This is the address where
delivery problems are sent to. With Postfix versions before 2.1,
- the Errors-To: message header overrides the error return
+ the Errors-To: message header overrides the error return
address.
-R return
- Delivery status notification control. Specify "hdrs" to return
- only the header when a message bounces, "full" to return a full
+ Delivery status notification control. Specify "hdrs" to return
+ only the header when a message bounces, "full" to return a full
copy (the default behavior).
The -R option specifies an upper bound; Postfix will return only
- the header, when a full copy would exceed the bounce_size_limit
+ the header, when a full copy would exceed the bounce_size_limit
setting.
This option is ignored before Postfix version 2.10.
- -q Attempt to deliver all queued mail. This is implemented by exe-
+ -q Attempt to deliver all queued mail. This is implemented by exe-
cuting the postqueue(1) command.
- Warning: flushing undeliverable mail frequently will result in
+ Warning: flushing undeliverable mail frequently will result in
poor delivery performance of all other mail.
-qinterval (ignored)
@@ -230,21 +251,21 @@ SENDMAIL(1) SENDMAIL(1)
-qIqueueid
Schedule immediate delivery of mail with the specified queue ID.
- This option is implemented by executing the postqueue(1) com-
+ This option is implemented by executing the postqueue(1) com-
mand, and is available with Postfix version 2.4 and later.
-qRsite
- Schedule immediate delivery of all mail that is queued for the
- named site. This option accepts only site names that are eligi-
- ble for the "fast flush" service, and is implemented by execut-
+ Schedule immediate delivery of all mail that is queued for the
+ named site. This option accepts only site names that are eligi-
+ ble for the "fast flush" service, and is implemented by execut-
ing the postqueue(1) command. See flush(8) for more information
about the "fast flush" service.
-qSsite
- This command is not implemented. Use the slower "sendmail -q"
+ This command is not implemented. Use the slower "sendmail -q"
command instead.
- -t Extract recipients from message headers. These are added to any
+ -t Extract recipients from message headers. These are added to any
recipients specified on the command line.
With Postfix versions prior to 2.1, this option requires that no
@@ -260,23 +281,23 @@ SENDMAIL(1) SENDMAIL(1)
This feature is available in Postfix 2.3 and later.
-XV (Postfix 2.2 and earlier: -V)
- Variable Envelope Return Path. Given an envelope sender address
- of the form owner-listname@origin, each recipient user@domain
+ Variable Envelope Return Path. Given an envelope sender address
+ of the form owner-listname@origin, each recipient user@domain
receives mail with a personalized envelope sender address.
- By default, the personalized envelope sender address is
- owner-listname+user=domain@origin. The default + and = charac-
- ters are configurable with the default_verp_delimiters configu-
+ By default, the personalized envelope sender address is
+ owner-listname+user=domain@origin. The default + and = charac-
+ ters are configurable with the default_verp_delimiters configu-
ration parameter.
-XVxy (Postfix 2.2 and earlier: -Vxy)
- As -XV, but uses x and y as the VERP delimiter characters,
+ As -XV, but uses x and y as the VERP delimiter characters,
instead of the characters specified with the default_verp_delim-
iters configuration parameter.
-v Send an email report of the first delivery attempt (Postfix ver-
- sions 2.1 and later). Mail delivery always happens in the back-
- ground. When multiple -v options are given, enable verbose log-
+ sions 2.1 and later). Mail delivery always happens in the back-
+ ground. When multiple -v options are given, enable verbose log-
ging for debugging purposes.
-X log_file (ignored)
@@ -284,42 +305,42 @@ SENDMAIL(1) SENDMAIL(1)
configuration parameters instead.
SECURITY
- By design, this program is not set-user (or group) id. It is prepared
+ By design, this program is not set-user (or group) id. It is prepared
to handle message content from untrusted, possibly remote, users.
- However, like most Postfix programs, this program does not enforce a
- security policy on its command-line arguments. Instead, it relies on
- the UNIX system to enforce access policies based on the effective user
+ However, like most Postfix programs, this program does not enforce a
+ security policy on its command-line arguments. Instead, it relies on
+ the UNIX system to enforce access policies based on the effective user
and group IDs of the process. Concretely, this means that running Post-
- fix commands as root (from sudo or equivalent) on behalf of a non-root
+ fix commands as root (from sudo or equivalent) on behalf of a non-root
user is likely to create privilege escalation opportunities.
- If an application runs any Postfix programs on behalf of users that do
+ If an application runs any Postfix programs on behalf of users that do
not have normal shell access to Postfix commands, then that application
- MUST restrict user-specified command-line arguments to avoid privilege
+ MUST restrict user-specified command-line arguments to avoid privilege
escalation.
- o Filter all command-line arguments, for example arguments that
- contain a pathname or that specify a database access method.
- These pathname checks must reject user-controlled symlinks or
+ o Filter all command-line arguments, for example arguments that
+ contain a pathname or that specify a database access method.
+ These pathname checks must reject user-controlled symlinks or
hardlinks to sensitive files, and must not be vulnerable to TOC-
TOU race attacks.
- o Disable command options processing for all command arguments
+ o Disable command options processing for all command arguments
that contain user-specified data. For example, the Postfix send-
mail(1) command line MUST be structured as follows:
/path/to/sendmail system-arguments -- user-arguments
- Here, the "--" disables command option processing for all
+ Here, the "--" disables command option processing for all
user-arguments that follow.
- Without the "--", a malicious user could enable Postfix send-
- mail(1) command options, by specifying an email address that
+ Without the "--", a malicious user could enable Postfix send-
+ mail(1) command options, by specifying an email address that
starts with "-".
DIAGNOSTICS
- Problems are logged to syslogd(8) or postlogd(8), and to the standard
+ Problems are logged to syslogd(8) or postlogd(8), and to the standard
error stream.
ENVIRONMENT
@@ -333,12 +354,12 @@ SENDMAIL(1) SENDMAIL(1)
Enable debugging with an external command, as specified with the
debugger_command configuration parameter.
- NAME The sender full name. This is used only with messages that have
+ NAME The sender full name. This is used only with messages that have
no From: message header. See also the -F option above.
CONFIGURATION PARAMETERS
- The following main.cf parameters are especially relevant to this pro-
- gram. The text below provides only a parameter summary. See post-
+ The following main.cf parameters are especially relevant to this pro-
+ gram. The text below provides only a parameter summary. See post-
conf(5) for more details including examples.
COMPATIBILITY CONTROLS
@@ -349,7 +370,7 @@ SENDMAIL(1) SENDMAIL(1)
line endings from <CR><LF> into UNIX format (<LF>).
TROUBLE SHOOTING CONTROLS
- The DEBUG_README file gives examples of how to troubleshoot a Postfix
+ The DEBUG_README file gives examples of how to troubleshoot a Postfix
system.
debugger_command (empty)
@@ -357,14 +378,14 @@ SENDMAIL(1) SENDMAIL(1)
invoked with the -D option.
debug_peer_level (2)
- The increment in verbose logging level when a nexthop destina-
- tion, remote client or server name or network address matches a
+ The increment in verbose logging level when a nexthop destina-
+ tion, remote client or server name or network address matches a
pattern given with the debug_peer_list parameter.
debug_peer_list (empty)
- Optional list of nexthop destination, remote client or server
- name or network address patterns that, if matched, cause the
- verbose logging level to increase by the amount specified in
+ Optional list of nexthop destination, remote client or server
+ name or network address patterns that, if matched, cause the
+ verbose logging level to increase by the amount specified in
$debug_peer_level.
ACCESS CONTROLS
@@ -377,13 +398,13 @@ SENDMAIL(1) SENDMAIL(1)
List of users who are authorized to view the queue.
authorized_submit_users (static:anyone)
- List of users who are authorized to submit mail with the send-
+ List of users who are authorized to submit mail with the send-
mail(1) command (and with the privileged postdrop(1) helper com-
mand).
RESOURCE AND RATE CONTROLS
bounce_size_limit (50000)
- The maximal amount of original message text that is sent in a
+ The maximal amount of original message text that is sent in a
non-delivery notification.
fork_attempts (5)
@@ -397,11 +418,11 @@ SENDMAIL(1) SENDMAIL(1)
in the primary message headers.
queue_run_delay (300s)
- The time between deferred queue scans by the queue manager;
+ The time between deferred queue scans by the queue manager;
prior to Postfix 2.4 the default value was 1000s.
FAST FLUSH CONTROLS
- The ETRN_README file describes configuration and operation details for
+ The ETRN_README file describes configuration and operation details for
the Postfix "fast flush" service.
fast_flush_domains ($relay_domains)
@@ -409,26 +430,26 @@ SENDMAIL(1) SENDMAIL(1)
tion logfiles with mail that is queued to those destinations.
VERP CONTROLS
- The VERP_README file describes configuration and operation details of
+ The VERP_README file describes configuration and operation details of
Postfix support for variable envelope return path addresses.
default_verp_delimiters (+=)
The two default VERP delimiter characters.
verp_delimiter_filter (-=+)
- The characters Postfix accepts as VERP delimiter characters on
+ The characters Postfix accepts as VERP delimiter characters on
the Postfix sendmail(1) command line and in SMTP commands.
MISCELLANEOUS CONTROLS
alias_database (see 'postconf -d' output)
- The alias databases for local(8) delivery that are updated with
+ The alias databases for local(8) delivery that are updated with
"newaliases" or with "sendmail -bi".
command_directory (see 'postconf -d' output)
The location of all postfix administrative commands.
config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and master.cf con-
+ The default location of the Postfix main.cf and master.cf con-
figuration files.
daemon_directory (see 'postconf -d' output)
@@ -439,25 +460,25 @@ SENDMAIL(1) SENDMAIL(1)
and postmap(1) commands.
delay_warning_time (0h)
- The time after which the sender receives a copy of the message
+ The time after which the sender receives a copy of the message
headers of mail that is still queued.
import_environment (see 'postconf -d' output)
- The list of environment variables that a privileged Postfix
- process will import from a non-Postfix parent process, or
+ The list of environment variables that a privileged Postfix
+ process will import from a non-Postfix parent process, or
name=value environment overrides.
mail_owner (postfix)
- The UNIX system account that owns the Postfix queue and most
+ The UNIX system account that owns the Postfix queue and most
Postfix daemon processes.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
remote_header_rewrite_domain (empty)
- Rewrite or add message headers in mail from remote clients if
- the remote_header_rewrite_domain parameter value is non-empty,
- updating incomplete addresses with the domain specified in the
+ Rewrite or add message headers in mail from remote clients if
+ the remote_header_rewrite_domain parameter value is non-empty,
+ updating incomplete addresses with the domain specified in the
remote_header_rewrite_domain parameter, and adding missing head-
ers.
@@ -465,24 +486,30 @@ SENDMAIL(1) SENDMAIL(1)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Postfix 3.2 and later:
alternate_config_directories (empty)
A list of non-default Postfix configuration directories that may
- be specified with "-c config_directory" on the command line (in
- the case of sendmail(1), with the "-C" option), or via the
+ be specified with "-c config_directory" on the command line (in
+ the case of sendmail(1), with the "-C" option), or via the
MAIL_CONFIG environment parameter.
multi_instance_directories (empty)
- An optional list of non-default Postfix configuration directo-
- ries; these directories belong to additional Postfix instances
- that share the Postfix executable files and documentation with
- the default Postfix instance, and that are started, stopped,
+ An optional list of non-default Postfix configuration directo-
+ ries; these directories belong to additional Postfix instances
+ that share the Postfix executable files and documentation with
+ the default Postfix instance, and that are started, stopped,
etc., together with the default Postfix instance.
+ Postfix 3.10 and later:
+
+ requiretls_enable (yes)
+ Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
+ 8689.
+
FILES
/var/spool/postfix, mail queue
/etc/postfix, configuration files
diff --git a/postfix/man/man1/sendmail.1 b/postfix/man/man1/sendmail.1
index e3bc7a639..534732cfa 100644
--- a/postfix/man/man1/sendmail.1
+++ b/postfix/man/man1/sendmail.1
@@ -162,6 +162,24 @@ notification when delivery is delayed), or \fBsuccess\fR
\fBnever\fR (don't send any notifications at all).
This feature is available in Postfix 2.3 and later.
+.IP "\fB\-O requiretls"
+When delivering the message with SMTP, the connection must use TLS
+with a verified server certificate, and the remote SMTP server
+must support REQUIRETLS. Try multiple SMTP servers if possible,
+and return the message as undeliverable when these requirements
+were not satisfied with any of the remote SMTP servers that were
+tried. The "requiretls" option value is case\-insensitive.
+
+This feature is available in Postfix 3.10 and later.
+.IP "\fB\-O smtputf8"
+When delivering the message with SMTP, the connection must use
+the SMTPUTF8 extension. Try multiple SMTP servers if possible,
+and return the message as undeliverable when a message contains
+an UTF8 envelope address or message header, but SMTPUTF8 was not
+supported by any of the remote SMTP servers that were tried. The
+"smtputf8" option value is case\-insensitive.
+
+This feature is available in Postfix 3.10 and later.
.IP "\fB\-n\fR (ignored)"
Backwards compatibility.
.IP "\fB\-oA\fIalias_database\fR"
@@ -462,6 +480,11 @@ these directories belong to additional Postfix instances that share
the Postfix executable files and documentation with the default
Postfix instance, and that are started, stopped, etc., together
with the default Postfix instance.
+.PP
+Postfix 3.10 and later:
+.IP "\fBrequiretls_enable (yes)\fR"
+Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
+8689.
.SH "FILES"
.na
.nf
diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history
index cb73a10e3..fd47fe847 100644
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@@ -161,3 +161,5 @@ proto proto socketmap_table
operations Files cleanup cleanup h cleanup cleanup_message c
global ehlo_mask_test c local forward c smtpd smtpd c
more alternate MX servers to try Files smtp smtp h
+ Files sendmail sendmail c global rec_types h
+ Files sendmail sendmail c
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index d7bc61477..9de1d5c26 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20250120"
+#define MAIL_RELEASE_DATE "20250121"
#define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT
diff --git a/postfix/src/global/rec_type.h b/postfix/src/global/rec_type.h
index 32d939b9b..9452c003f 100644
--- a/postfix/src/global/rec_type.h
+++ b/postfix/src/global/rec_type.h
@@ -110,7 +110,7 @@
/*
* The subset of inputs that the postdrop command allows.
*/
-#define REC_TYPE_POST_ENVELOPE "MFSRVAin"
+#define REC_TYPE_POST_ENVELOPE "MCFSRVAin"
#define REC_TYPE_POST_CONTENT "XLN"
#define REC_TYPE_POST_EXTRACT "EAR"
diff --git a/postfix/src/pickup/pickup.c b/postfix/src/pickup/pickup.c
index 390329d1e..95f404fdd 100644
--- a/postfix/src/pickup/pickup.c
+++ b/postfix/src/pickup/pickup.c
@@ -236,6 +236,7 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
char *attr_value;
char *saved_attr;
int skip_attr;
+ ssize_t count;
/*
* Limit the input record size. All front-end programs should protect the
@@ -246,7 +247,7 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
*
* We must allow PTR records here because of "postsuper -r".
*/
- for (;;) {
+ for (count = 0; /* void */; count++) {
if ((type = rec_get(qfile, buf, var_line_limit)) < 0
|| strchr(expected, type) == 0)
return (file_read_error(info, type));
@@ -264,6 +265,9 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
}
if (type == REC_TYPE_TIME)
time_seen = 1;
+ if (type == REC_TYPE_SIZE && count > 0)
+ /* Discard SIZE record not at beginning of segment. */
+ continue;
/*
* XXX Workaround: REC_TYPE_FILT (used in envelopes) == REC_TYPE_CONT
diff --git a/postfix/src/sendmail/Makefile.in b/postfix/src/sendmail/Makefile.in
index 192faf82e..d8e0f0560 100644
--- a/postfix/src/sendmail/Makefile.in
+++ b/postfix/src/sendmail/Makefile.in
@@ -86,6 +86,7 @@ sendmail.o: ../../include/recipient_list.h
sendmail.o: ../../include/record.h
sendmail.o: ../../include/resolve_clnt.h
sendmail.o: ../../include/safe.h
+sendmail.o: ../../include/sendopts.h
sendmail.o: ../../include/set_ugid.h
sendmail.o: ../../include/split_at.h
sendmail.o: ../../include/stringops.h
diff --git a/postfix/src/sendmail/sendmail.c b/postfix/src/sendmail/sendmail.c
index df052c5b0..d6ca18f14 100644
--- a/postfix/src/sendmail/sendmail.c
+++ b/postfix/src/sendmail/sendmail.c
@@ -156,6 +156,24 @@
/* \fBnever\fR (don't send any notifications at all).
/*
/* This feature is available in Postfix 2.3 and later.
+/* .IP "\fB-O requiretls"
+/* When delivering the message with SMTP, the connection must use TLS
+/* with a verified server certificate, and the remote SMTP server
+/* must support REQUIRETLS. Try multiple SMTP servers if possible,
+/* and return the message as undeliverable when these requirements
+/* were not satisfied with any of the remote SMTP servers that were
+/* tried. The "requiretls" option value is case-insensitive.
+/*
+/* This feature is available in Postfix 3.10 and later.
+/* .IP "\fB-O smtputf8"
+/* When delivering the message with SMTP, the connection must use
+/* the SMTPUTF8 extension. Try multiple SMTP servers if possible,
+/* and return the message as undeliverable when a message contains
+/* an UTF8 envelope address or message header, but SMTPUTF8 was not
+/* supported by any of the remote SMTP servers that were tried. The
+/* "smtputf8" option value is case-insensitive.
+/*
+/* This feature is available in Postfix 3.10 and later.
/* .IP "\fB-n\fR (ignored)"
/* Backwards compatibility.
/* .IP "\fB-oA\fIalias_database\fR"
@@ -434,6 +452,11 @@
/* the Postfix executable files and documentation with the default
/* Postfix instance, and that are started, stopped, etc., together
/* with the default Postfix instance.
+/* .PP
+/* Postfix 3.10 and later:
+/* .IP "\fBrequiretls_enable (yes)\fR"
+/* Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
+/* 8689.
/* FILES
/* /var/spool/postfix, mail queue
/* /etc/postfix, configuration files
@@ -537,6 +560,7 @@
#include
#include
#include
+#include
/* Application-specific. */
@@ -589,6 +613,11 @@ static const CONFIG_STR_TABLE str_table[] = {
0,
};
+ /*
+ * Sender options.
+ */
+static int sm_sendopts;
+
/*
* Silly little macros (SLMs).
*/
@@ -788,6 +817,14 @@ static void enqueue(const int flags, const char *encoding,
* With "sendmail -N", instead of a per-message NOTIFY record we store one
* per recipient so that we can simplify the implementation somewhat.
*/
+ if (sm_sendopts)
+ rec_fprintf(dst, REC_TYPE_SIZE, REC_TYPE_SIZE_FORMAT,
+ (REC_TYPE_SIZE_CAST1) ~ 0, /* message segment size */
+ (REC_TYPE_SIZE_CAST2) ~ 0, /* content offset */
+ (REC_TYPE_SIZE_CAST3) ~ 0, /* recipient count */
+ (REC_TYPE_SIZE_CAST4) ~ 0, /* qmgr options */
+ (REC_TYPE_SIZE_CAST5) ~ 0, /* content length */
+ (REC_TYPE_SIZE_CAST6) sm_sendopts);
if (dsn_envid)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_DSN_ENVID, dsn_envid);
@@ -1251,7 +1288,19 @@ int main(int argc, char **argv)
break;
case 'N':
if ((dsn_notify = dsn_notify_mask(optarg)) == 0)
- msg_warn("bad -N option value -- ignored");
+ msg_warn("bad -N option value: '%s' -- ignored", optarg);
+ break;
+ case 'O':
+ if (strcasecmp(optarg, "REQUIRETLS") == 0) {
+ sm_sendopts |= SOPT_REQUIRETLS_ESMTP;
+ if (var_requiretls_enable == 0)
+ msg_warn("'-O requiretls' was requested, but the "
+ "configuration is 'requiretls_enable = no'");
+ } else if (strcasecmp(optarg, "SMTPUTF8") == 0) {
+ sm_sendopts |= SOPT_SMTPUTF8_REQUESTED;
+ } else {
+ msg_warn("bad -O option value: '%s' -- ignored", optarg);
+ }
break;
case 'R':
if ((dsn_ret = dsn_ret_code(optarg)) == 0)
diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c
index 299f3c1ab..48aa4142e 100644
--- a/postfix/src/smtp/smtp_connect.c
+++ b/postfix/src/smtp/smtp_connect.c
@@ -522,8 +522,10 @@ static int smtp_get_effective_tls_level(DSN_BUF *why, SMTP_STATE *state)
if (TLS_MUST_MATCH(tls->level) == 0) {
dsb_simple(why, "5.7.10", "Sender requires a TLS server "
"certificate match, but the configured %s TLS "
- "security level (%s) does not support that",
- var_mail_name, str_tls_level(tls->level));
+ "security level '%s' does not support that. "
+ "The last attempted server was %s",
+ var_mail_name, str_tls_level(tls->level),
+ STR(iter->host));
return (0);
}
}
diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c
index 919b09df8..5a9b5a9ac 100644
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@@ -665,7 +665,8 @@ int smtp_helo(SMTP_STATE *state)
*/
if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0
&& DELIVERY_REQUIRES_SMTPUTF8)
- return (smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
+ return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL,
+ DSN_BY_LOCAL_MTA,
SMTP_RESP_FAKE(&fake, "5.6.7"),
"SMTPUTF8 is required, "
"but was not offered by host %s",
diff --git a/postfix/src/util/Makefile.in b/postfix/src/util/Makefile.in
index 7df6ffd94..32ad7fa34 100644
--- a/postfix/src/util/Makefile.in
+++ b/postfix/src/util/Makefile.in
@@ -1391,6 +1391,14 @@ cidr_match.o: stringops.h
cidr_match.o: sys_defs.h
cidr_match.o: vbuf.h
cidr_match.o: vstring.h
+clean_ascii_cntrl_space.o: check_arg.h
+clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c
+clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h
+clean_ascii_cntrl_space.o: stringops.h
+clean_ascii_cntrl_space.o: sys_defs.h
+clean_ascii_cntrl_space.o: vbuf.h
+clean_ascii_cntrl_space.o: vstream.h
+clean_ascii_cntrl_space.o: vstring.h
clean_env.o: argv.h
clean_env.o: check_arg.h
clean_env.o: clean_env.c
@@ -2837,14 +2845,6 @@ trimblanks.o: sys_defs.h
trimblanks.o: trimblanks.c
trimblanks.o: vbuf.h
trimblanks.o: vstring.h
-clean_ascii_cntrl_space.o: check_arg.h
-clean_ascii_cntrl_space.o: stringops.h
-clean_ascii_cntrl_space.o: sys_defs.h
-clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c
-clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h
-clean_ascii_cntrl_space.o: vbuf.h
-clean_ascii_cntrl_space.o: vstream.h
-clean_ascii_cntrl_space.o: vstring.h
unescape.o: check_arg.h
unescape.o: stringops.h
unescape.o: sys_defs.h