postfix-3.10-20250121-nonprod

postfix/HISTORY

@@ -28914,22 +28914,75 @@ Apologies for any names omitted.
 	bounce/bounce_one_service.c, bounce/bounce_trace_service.c,
 	bounce/bounce_verp_service.c, bounce/bounce_warn_service.c.
 
+	Completed: new Postfix sendmail command option "-O requiretls"
+	to request that deliveries over SMTP use the REQUIRETLS
+	extension. The option value "requiretls" is case-insensitive.
+	Files: sendmail/sendmail.c, global/rec_types.h.
+
+	Cleanup: new Postfix sendmail command option "-O smtputf8"
+	to request that deliveries over SMTP use the SMTPUTF8
+	extension. This reuses logic that was introduced for
+	REQUIRETLS. The option value "smtputf8" is case-insensitive.
+	Files: sendmail/sendmail.c.
+
+	Cleanup: when message delivery requires that a remote SMTP
+	server supports SMTPUTF8, try multiple MX servers before
+	returning a message as undeliverable. This reuses logic
+	that was introduced for REQUIRETLS. File: smtp/smtp_proto.c.
+
 TODO:
 
-	The RFC says that REQUIRETLS applies to LMTP. Dovecot supports
+	What REQUIRETLS expectations can we enforce when delivering
-	TLS, but how common is it for Postfix to verify a Dovecot
+	over a UNIX-domain channel? The SMTP/LMTP client currently
-	server certificate? Should we add a 'cheat' setting that does
+	implements the same behavior as for TCP, except that
-	not enforce REQUIRETLS?
+	opportunistic TLS is converted into 'none'.
 
-	If a message contains "TLS-Required: no", should a bounce message
+	Document how REQUIRETLS works (or does not) with external
-	also contain this header?
+	content filters.
 
-	If the Postfix SMTP server accepted REQUIRETLS, should that stay
+	- REQUIRETLS will work with Milter-based content filters.
-	in effect if, before the message is forwarded, the configuration
-	is changed to "requiretls_enable = no"? Same for "postsuper -r".
 
-	Ditto for "tls_required_enable = no" and "TLS-Required: no".
+	- REQUIRETLS will work with smtpd_proxy_filter as long as
+	  the filter passes the entire Postfix SMTP client's MAIL
+	  FROM command line through the filter to the Postfix SMTP
+	  server after the proxy filter. The Postfix proxy filter
+	  client does not need to see REQUIRETLS (or SMTPUTF8)
+	  announcements in the filter's EHLO response.
 
-	Simplify the cleanup_envelope_test. Write the initial SIZE record
+	- REQUIRETLS will work with an SMTP-based after-queue content
-	to /dev/null, don't call cleanup_final(), and  verify the value
+	  filters as long as the filter announces REQUIRETLS in the
-	of state->sendopts.
+	  EHLO response (this could be 'always', or copied from the
+	  after-filter Postfix SMTP server's EHLO response), and
+	  as long as the filter passes the entire MAIL FROM command
+	  from the before-filter Postfix SMTP client to the
+	  after-filter Postfix SMTP server. Apart from that, the
+	  content filter does not need to 'know' that REQUIRETLS
+	  exists.
+
+	- There currently is no sendmail(1) command-line option to
+	  request REQUIRETLS, and no pipe(8) option to propagate
+	  REQUIRETLS. We could invent a custom long option,
+	  such as '-O RequireTLS' and some way to emit that with
+	  pipe(8). Absent such a command-line option we could use
+	  an environment variable but that will have to be supported
+	  long-term.
+
+	The RFC says that REQUIRETLS applies to LMTP. Dovecot
+	supports TLS, but how common is it for Postfix to verify a
+	Dovecot server certificate? Should we add a 'cheat' setting
+	that does not enforce REQUIRETLS?
+
+	If a message contains "TLS-Required: no", should a bounce
+	message also contain this header?
+
+	If the Postfix SMTP server accepted REQUIRETLS, should that
+	stay in effect if, before the message is forwarded, the
+	configuration is changed to "requiretls_enable = no"? Same
+	for "postsuper -r".
+
+	Ditto for "tls_required_enable = no" and "TLS-Required:
+	no".
+
+	Simplify the cleanup_envelope_test. Write the initial SIZE
+	record to /dev/null, don't call cleanup_final(), and  verify
+	the value of state->sendopts.

postfix/html/mailq.1.html

@@ -174,6 +174,27 @@ SENDMAIL(1)                                                        SENDMAIL(1)
 
               This feature is available in Postfix 2.3 and later.
 
+       <b>-O requiretls</b>
+              When delivering the message with SMTP, the connection  must  use
+              TLS  with  a  verified  server  certificate, and the remote SMTP
+              server must support REQUIRETLS. Try  multiple  SMTP  servers  if
+              possible,  and  return  the  message as undeliverable when these
+              requirements were not satisfied with  any  of  the  remote  SMTP
+              servers  that  were  tried.  The  "requiretls"  option  value is
+              case-insensitive.
+
+              This feature is available in Postfix 3.10 and later.
+
+       <b>-O smtputf8</b>
+              When delivering the message with SMTP, the connection  must  use
+              the  SMTPUTF8  extension. Try multiple SMTP servers if possible,
+              and return the message as undeliverable when a message  contains
+              an UTF8 envelope address or message header, but SMTPUTF8 was not
+              supported by any of the remote SMTP servers that were tried. The
+              "smtputf8" option value is case-insensitive.
+
+              This feature is available in Postfix 3.10 and later.
+
        <b>-n</b> (ignored)
               Backwards compatibility.
 
@@ -483,6 +504,12 @@ SENDMAIL(1)                                                        SENDMAIL(1)
               the default Postfix instance, and  that  are  started,  stopped,
               etc., together with the default Postfix instance.
 
+       Postfix 3.10 and later:
+
+       <b><a href="postconf.5.html#requiretls_enable">requiretls_enable</a> (yes)</b>
+              Enable  support  for the ESMTP verb "REQUIRETLS", defined in <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
+              <a href="https://tools.ietf.org/html/rfc8689">8689</a>.
+
 <b><a name="files">FILES</a></b>
        /var/spool/postfix, mail queue
        /etc/postfix, configuration files

postfix/html/newaliases.1.html

@@ -174,6 +174,27 @@ SENDMAIL(1)                                                        SENDMAIL(1)
 
               This feature is available in Postfix 2.3 and later.
 
+       <b>-O requiretls</b>
+              When delivering the message with SMTP, the connection  must  use
+              TLS  with  a  verified  server  certificate, and the remote SMTP
+              server must support REQUIRETLS. Try  multiple  SMTP  servers  if
+              possible,  and  return  the  message as undeliverable when these
+              requirements were not satisfied with  any  of  the  remote  SMTP
+              servers  that  were  tried.  The  "requiretls"  option  value is
+              case-insensitive.
+
+              This feature is available in Postfix 3.10 and later.
+
+       <b>-O smtputf8</b>
+              When delivering the message with SMTP, the connection  must  use
+              the  SMTPUTF8  extension. Try multiple SMTP servers if possible,
+              and return the message as undeliverable when a message  contains
+              an UTF8 envelope address or message header, but SMTPUTF8 was not
+              supported by any of the remote SMTP servers that were tried. The
+              "smtputf8" option value is case-insensitive.
+
+              This feature is available in Postfix 3.10 and later.
+
        <b>-n</b> (ignored)
               Backwards compatibility.
 
@@ -483,6 +504,12 @@ SENDMAIL(1)                                                        SENDMAIL(1)
               the default Postfix instance, and  that  are  started,  stopped,
               etc., together with the default Postfix instance.
 
+       Postfix 3.10 and later:
+
+       <b><a href="postconf.5.html#requiretls_enable">requiretls_enable</a> (yes)</b>
+              Enable  support  for the ESMTP verb "REQUIRETLS", defined in <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
+              <a href="https://tools.ietf.org/html/rfc8689">8689</a>.
+
 <b><a name="files">FILES</a></b>
        /var/spool/postfix, mail queue
        /etc/postfix, configuration files

postfix/html/sendmail.1.html

@@ -174,6 +174,27 @@ SENDMAIL(1)                                                        SENDMAIL(1)
 
               This feature is available in Postfix 2.3 and later.
 
+       <b>-O requiretls</b>
+              When delivering the message with SMTP, the connection  must  use
+              TLS  with  a  verified  server  certificate, and the remote SMTP
+              server must support REQUIRETLS. Try  multiple  SMTP  servers  if
+              possible,  and  return  the  message as undeliverable when these
+              requirements were not satisfied with  any  of  the  remote  SMTP
+              servers  that  were  tried.  The  "requiretls"  option  value is
+              case-insensitive.
+
+              This feature is available in Postfix 3.10 and later.
+
+       <b>-O smtputf8</b>
+              When delivering the message with SMTP, the connection  must  use
+              the  SMTPUTF8  extension. Try multiple SMTP servers if possible,
+              and return the message as undeliverable when a message  contains
+              an UTF8 envelope address or message header, but SMTPUTF8 was not
+              supported by any of the remote SMTP servers that were tried. The
+              "smtputf8" option value is case-insensitive.
+
+              This feature is available in Postfix 3.10 and later.
+
        <b>-n</b> (ignored)
               Backwards compatibility.
 
@@ -483,6 +504,12 @@ SENDMAIL(1)                                                        SENDMAIL(1)
               the default Postfix instance, and  that  are  started,  stopped,
               etc., together with the default Postfix instance.
 
+       Postfix 3.10 and later:
+
+       <b><a href="postconf.5.html#requiretls_enable">requiretls_enable</a> (yes)</b>
+              Enable  support  for the ESMTP verb "REQUIRETLS", defined in <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
+              <a href="https://tools.ietf.org/html/rfc8689">8689</a>.
+
 <b><a name="files">FILES</a></b>
        /var/spool/postfix, mail queue
        /etc/postfix, configuration files

postfix/man/man1/sendmail.1

@@ -162,6 +162,24 @@ notification when delivery is delayed), or \fBsuccess\fR
 \fBnever\fR (don't send any notifications at all).
 
 This feature is available in Postfix 2.3 and later.
+.IP "\fB\-O requiretls"
+When delivering the message with SMTP, the connection must use TLS
+with a verified server certificate, and the remote SMTP server
+must support REQUIRETLS. Try multiple SMTP servers if possible,
+and return the message as undeliverable when these requirements
+were not satisfied with any of the remote SMTP servers that were
+tried. The "requiretls" option value is case\-insensitive.
+
+This feature is available in Postfix 3.10 and later.
+.IP "\fB\-O smtputf8"
+When delivering the message with SMTP, the connection must use
+the SMTPUTF8 extension. Try multiple SMTP servers if possible,
+and return the message as undeliverable when a message contains
+an UTF8 envelope address or message header, but SMTPUTF8 was not
+supported by any of the remote SMTP servers that were tried. The
+"smtputf8" option value is case\-insensitive.
+
+This feature is available in Postfix 3.10 and later.
 .IP "\fB\-n\fR (ignored)"
 Backwards compatibility.
 .IP "\fB\-oA\fIalias_database\fR"
@@ -462,6 +480,11 @@ these directories belong to additional Postfix instances that share
 the Postfix executable files and documentation with the default
 Postfix instance, and that are started, stopped, etc., together
 with the default Postfix instance.
+.PP
+Postfix 3.10 and later:
+.IP "\fBrequiretls_enable (yes)\fR"
+Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
+8689.
 .SH "FILES"
 .na
 .nf

postfix/proto/stop.double-history

@@ -161,3 +161,5 @@ proto  proto socketmap_table
  operations Files cleanup cleanup h cleanup cleanup_message c 
  global ehlo_mask_test c local forward c smtpd smtpd c 
  more alternate MX servers to try Files smtp smtp h 
+ Files sendmail sendmail c global rec_types h 
+ Files sendmail sendmail c 

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20250120"
+#define MAIL_RELEASE_DATE	"20250121"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT

postfix/src/global/rec_type.h

@@ -110,7 +110,7 @@
  /*
   * The subset of inputs that the postdrop command allows.
   */
-#define REC_TYPE_POST_ENVELOPE	"MFSRVAin"
+#define REC_TYPE_POST_ENVELOPE	"MCFSRVAin"
 #define REC_TYPE_POST_CONTENT	"XLN"
 #define REC_TYPE_POST_EXTRACT	"EAR"
 

postfix/src/pickup/pickup.c

@@ -236,6 +236,7 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
     char   *attr_value;
     char   *saved_attr;
     int     skip_attr;
+    ssize_t count;
 
     /*
      * Limit the input record size. All front-end programs should protect the
@@ -246,7 +247,7 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
      * 
      * We must allow PTR records here because of "postsuper -r".
      */
-    for (;;) {
+    for (count = 0; /* void */; count++) {
 	if ((type = rec_get(qfile, buf, var_line_limit)) < 0
 	    || strchr(expected, type) == 0)
 	    return (file_read_error(info, type));
@@ -264,6 +265,9 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
 	}
 	if (type == REC_TYPE_TIME)
 	    time_seen = 1;
+	if (type == REC_TYPE_SIZE && count > 0)
+	    /* Discard SIZE record not at beginning of segment. */
+	    continue;
 
 	/*
 	 * XXX Workaround: REC_TYPE_FILT (used in envelopes) == REC_TYPE_CONT

postfix/src/sendmail/Makefile.in

@@ -86,6 +86,7 @@ sendmail.o: ../../include/recipient_list.h
 sendmail.o: ../../include/record.h
 sendmail.o: ../../include/resolve_clnt.h
 sendmail.o: ../../include/safe.h
+sendmail.o: ../../include/sendopts.h
 sendmail.o: ../../include/set_ugid.h
 sendmail.o: ../../include/split_at.h
 sendmail.o: ../../include/stringops.h

postfix/src/sendmail/sendmail.c

@@ -156,6 +156,24 @@
 /*	\fBnever\fR (don't send any notifications at all).
 /*
 /*	This feature is available in Postfix 2.3 and later.
+/* .IP "\fB-O requiretls"
+/*	When delivering the message with SMTP, the connection must use TLS
+/*	with a verified server certificate, and the remote SMTP server
+/*	must support REQUIRETLS. Try multiple SMTP servers if possible,
+/*	and return the message as undeliverable when these requirements
+/*	were not satisfied with any of the remote SMTP servers that were
+/*	tried. The "requiretls" option value is case-insensitive.
+/*
+/*	This feature is available in Postfix 3.10 and later.
+/* .IP "\fB-O smtputf8"
+/*	When delivering the message with SMTP, the connection must use
+/*	the SMTPUTF8 extension. Try multiple SMTP servers if possible,
+/*	and return the message as undeliverable when a message contains
+/*	an UTF8 envelope address or message header, but SMTPUTF8 was not
+/*	supported by any of the remote SMTP servers that were tried. The
+/*	"smtputf8" option value is case-insensitive.
+/*
+/*	This feature is available in Postfix 3.10 and later.
 /* .IP "\fB-n\fR (ignored)"
 /*	Backwards compatibility.
 /* .IP "\fB-oA\fIalias_database\fR"
@@ -434,6 +452,11 @@
 /*	the Postfix executable files and documentation with the default
 /*	Postfix instance, and that are started, stopped, etc., together
 /*	with the default Postfix instance.
+/* .PP
+/*	Postfix 3.10 and later:
+/* .IP "\fBrequiretls_enable (yes)\fR"
+/*	Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
+/*	8689.
 /* FILES
 /*	/var/spool/postfix, mail queue
 /*	/etc/postfix, configuration files
@@ -537,6 +560,7 @@
 #include <user_acl.h>
 #include <dsn_mask.h>
 #include <mail_parm_split.h>
+#include <sendopts.h>
 
 /* Application-specific. */
 
@@ -589,6 +613,11 @@ static const CONFIG_STR_TABLE str_table[] = {
     0,
 };
 
+ /*
+  * Sender options.
+  */
+static int sm_sendopts;
+
  /*
   * Silly little macros (SLMs).
   */
@@ -788,6 +817,14 @@ static void enqueue(const int flags, const char *encoding,
      * With "sendmail -N", instead of a per-message NOTIFY record we store one
      * per recipient so that we can simplify the implementation somewhat.
      */
+    if (sm_sendopts)
+	rec_fprintf(dst, REC_TYPE_SIZE, REC_TYPE_SIZE_FORMAT,
+		    (REC_TYPE_SIZE_CAST1) ~ 0,	/* message segment size */
+		    (REC_TYPE_SIZE_CAST2) ~ 0,	/* content offset */
+		    (REC_TYPE_SIZE_CAST3) ~ 0,	/* recipient count */
+		    (REC_TYPE_SIZE_CAST4) ~ 0,	/* qmgr options */
+		    (REC_TYPE_SIZE_CAST5) ~ 0,	/* content length */
+		    (REC_TYPE_SIZE_CAST6) sm_sendopts);
     if (dsn_envid)
 	rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s",
 		    MAIL_ATTR_DSN_ENVID, dsn_envid);
@@ -1251,7 +1288,19 @@ int     main(int argc, char **argv)
 	    break;
 	case 'N':
 	    if ((dsn_notify = dsn_notify_mask(optarg)) == 0)
-		msg_warn("bad -N option value -- ignored");
+		msg_warn("bad -N option value: '%s' -- ignored", optarg);
+	    break;
+	case 'O':
+	    if (strcasecmp(optarg, "REQUIRETLS") == 0) {
+		sm_sendopts |= SOPT_REQUIRETLS_ESMTP;
+	    if (var_requiretls_enable == 0)
+		msg_warn("'-O requiretls' was requested, but the "
+			 "configuration is 'requiretls_enable = no'");
+	    } else if (strcasecmp(optarg, "SMTPUTF8") == 0) {
+		sm_sendopts |= SOPT_SMTPUTF8_REQUESTED;
+	    } else {
+		msg_warn("bad -O option value: '%s' -- ignored", optarg);
+	    }
 	    break;
 	case 'R':
 	    if ((dsn_ret = dsn_ret_code(optarg)) == 0)

postfix/src/smtp/smtp_connect.c

@@ -522,8 +522,10 @@ static int smtp_get_effective_tls_level(DSN_BUF *why, SMTP_STATE *state)
 	if (TLS_MUST_MATCH(tls->level) == 0) {
 	    dsb_simple(why, "5.7.10", "Sender requires a TLS server "
 		       "certificate match, but the configured %s TLS "
-		       "security level (%s) does not support that",
+		       "security level '%s' does not support that. "
-		       var_mail_name, str_tls_level(tls->level));
+		       "The last attempted server was %s",
+		       var_mail_name, str_tls_level(tls->level),
+		       STR(iter->host));
 	    return (0);
 	}
     }

postfix/src/smtp/smtp_proto.c

@@ -665,7 +665,8 @@ int     smtp_helo(SMTP_STATE *state)
      */
     if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0
 	&& DELIVERY_REQUIRES_SMTPUTF8)
-	return (smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
+	return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL,
+			       DSN_BY_LOCAL_MTA,
 			       SMTP_RESP_FAKE(&fake, "5.6.7"),
 			       "SMTPUTF8 is required, "
 			       "but was not offered by host %s",

postfix/src/util/Makefile.in

@@ -1391,6 +1391,14 @@ cidr_match.o: stringops.h
 cidr_match.o: sys_defs.h
 cidr_match.o: vbuf.h
 cidr_match.o: vstring.h
+clean_ascii_cntrl_space.o: check_arg.h
+clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c
+clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h
+clean_ascii_cntrl_space.o: stringops.h
+clean_ascii_cntrl_space.o: sys_defs.h
+clean_ascii_cntrl_space.o: vbuf.h
+clean_ascii_cntrl_space.o: vstream.h
+clean_ascii_cntrl_space.o: vstring.h
 clean_env.o: argv.h
 clean_env.o: check_arg.h
 clean_env.o: clean_env.c
@@ -2837,14 +2845,6 @@ trimblanks.o: sys_defs.h
 trimblanks.o: trimblanks.c
 trimblanks.o: vbuf.h
 trimblanks.o: vstring.h
-clean_ascii_cntrl_space.o: check_arg.h
-clean_ascii_cntrl_space.o: stringops.h
-clean_ascii_cntrl_space.o: sys_defs.h
-clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c
-clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h
-clean_ascii_cntrl_space.o: vbuf.h
-clean_ascii_cntrl_space.o: vstream.h
-clean_ascii_cntrl_space.o: vstring.h
 unescape.o: check_arg.h
 unescape.o: stringops.h
 unescape.o: sys_defs.h