diff --git a/postfix/HISTORY b/postfix/HISTORY index 55a3c3e9b..3380077b2 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -22345,7 +22345,7 @@ Apologies for any names omitted. Cleanup: integer wrap-around detection in the MySQL and PostgreSQL clients. This is totally non-critical because Postfix strings are size-limited by design. Files: - global/dict_mysqql.c, global/dict_pgsql.c. + global/dict_mysql.c, global/dict_pgsql.c. 20160607 @@ -28110,6 +28110,45 @@ Apologies for any names omitted. Documentation: in the rbl_reply_maps description,added text how it handles reject_rbl_* or reject_rhsbl_* queries with - an address filter. Also added text to clarify te differences + an address filter. Also added text to clarify the differences between rbl_reply_maps and postscreen_dnsbl_reply_map. File: proto/postconf.proto. + +20240623 + + Feature: improved rbl_reply_maps usability. After a query + with the form domain=address-filter returns no result, + rbl_reply_maps will query the tables with the domain (i.e. + without the =address-filter). Files: smtpd/smtpd_check.c, + proto/postconf.proto, smtpd/smtpd_check_access, smtpd/smtpd_exp.in, + smtpd/smtpd_exp.ref. + +20240626 + + Cleanup: updated SMTP server regression tests for last-minute + changes to the wording of deprecation messages. Files: + smtpd/smtpd_check_backup.ref, smtpd/smtpd_deprecated.ref, + smtpd/smtpd_exp.ref. + +20240719 + + Bitrot: with MySQL 8.0.35 and later set TLS options with + mysql_options() instead of mysql_ssl_set(). Researched by + Robert Fuhrer. Files: global/dict_mysql.c, proto/mysql_table. + +20240720 + + Bitrot: MariaDB Connector/C 3.0.0 lists mysql_options() as + deprecated, and recommends using mysql_optionsv() instead. + Option names and semantics have not changed. Peter Ajamian. + Files: global/dict_mysql.c, proto/mysql_table. + +20240721 + + Reproducible build: sort the output from 'env'. Scott + Kitterman. File: makedefs. + +20240722 + + Bitrot: some groff version complains about ".ft C" directives + in postconf(5) manpages. File: mantools/postconf2man. diff --git a/postfix/WISHLIST b/postfix/WISHLIST index f8cb62ffa..fb78b25b8 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -16,6 +16,16 @@ Wish list: using FIFOs anymore, and trigger servers could use a proper (attribute, value) protocol. + Send XFORWARD attributes in the SMTPD policy delegation + protocol. + + With "smtpd_reject_unlisted_mumble = no" the Postfix SMTP + server should still reject recipients that resolve to the + error or retry transport. + + bounce/annotate.sh should include the 'QUICK INSTRUCTIONS' + into the bounce.cf.default file. + The postsceen NON-SMTP test should log the command in the same format as the BARE NEWLINE and PREGREET tests. Consider logging the entire unadulterated command line. diff --git a/postfix/html/mysql_table.5.html b/postfix/html/mysql_table.5.html index c572cf535..5761b26e4 100644 --- a/postfix/html/mysql_table.5.html +++ b/postfix/html/mysql_table.5.html @@ -258,6 +258,11 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) This parameter is available with Postfix 3.2 and later. +TLS-RELATED SETTINGS + See https://dev.mysql.com/doc/c-api/en/mysql-options.html or + https://mariadb.com/kb/en/mysql_optionsv/ for details of the underlying + MYSQL_OPT_SSL_* features. + tls_cert_file File containing client's X509 certificate. @@ -269,7 +274,7 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) This parameter is available with Postfix 2.11 and later. tls_CAfile - File containing certificates for all of the X509 Certification + File containing X509 certificates for all of the Certification Authorities the client will recognize. Takes precedence over tls_CApath. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 3734c5e89..a7c3e53bf 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -2610,7 +2610,8 @@ by an RFC 3463 enhanced status
$rbl_domain
-
The RBL domain where $rbl_what is denylisted.
+
The RBL domain (without any =address-filter) where +$rbl_what is denylisted.
$rbl_reason
@@ -8800,7 +8801,7 @@ the file is read).

NOTE: This feature differs from the Postfix SMTP server's rbl_reply_maps feature, where 1) the table search key includes the -optional "=address" filter, and where 2) the lookup result +optional "=address-filter", and where 2) the lookup result contains free text with $name variables.

This feature is available in Postfix 2.8.

@@ -9814,7 +9815,10 @@ This feature is available in Postfix 2.0 and later.

Optional lookup tables with RBL or RHSBL response templates. The table search key is the reject_rbl_* or reject_rhsbl_* argument, -including any optional "=address-pattern" filter.

+including any optional "=address-filter". With Postfix 3.10 +and later, if the result is "not found" and the search key has the +form domain=address-filter, then rbl_reply_maps will also +search with the domain.

By default, Postfix uses the template as specified with the default_rbl_reply configuration @@ -9838,20 +9842,26 @@ syntax. # variables. secret.zen.dq.spamhaus.net=127.0.0.[2..11] 554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details + + +

+    # Postfix ≥ 3.10: if a search key domain=address-filter
+    # is not found, then rbl_reply_maps will also search with the
+    # domain.
     secret.zen.dq.spamhaus.net
         554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details

NOTE: This feature differs from postscreen_dnsbl_reply_map where -the table search key is a domain name (no "=address" filter, -no "*weight" factor) and where the lookup result should be -a domain name (no free text, no $name variables). +the table search key is only a domain name (no "=address-filter", +no "*weight" factor) and where the lookup result +should be only a domain name (no free text, no $name variables).

This feature is available in Postfix 2.0 and later. -The "=address-pattern" filter is available in Postfix 2.8 and later. +The "=address-filter" feature is available in Postfix 2.8 and later.

diff --git a/postfix/makedefs b/postfix/makedefs index 430324d4e..e21e648ad 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -220,7 +220,7 @@ echo "#----------------------------------------------------------------" echo "# Start of summary of user-configurable 'make makefiles' options." echo "# CCARGS=$CCARGS" echo "# AUXLIBS=$AUXLIBS" -env | grep '^AUXLIBS_' | sed 's/^/# /' +env | grep '^AUXLIBS_' | sed 's/^/# /' | sort echo "# shared=$shared" echo "# dynamicmaps=$dynamicmaps" echo "# pie=$pie" diff --git a/postfix/man/man5/mysql_table.5 b/postfix/man/man5/mysql_table.5 index d6e64e231..1aba09ed6 100644 --- a/postfix/man/man5/mysql_table.5 +++ b/postfix/man/man5/mysql_table.5 @@ -277,6 +277,14 @@ set. If "\fBno\fR", treat the absence of a result set as "not found". .sp This parameter is available with Postfix 3.2 and later. +.SH "TLS-RELATED SETTINGS" +.na +.nf +.ad +.fi +See https://dev.mysql.com/doc/c\-api/en/mysql\-options.html +or https://mariadb.com/kb/en/mysql_optionsv/ for details of +the underlying MYSQL_OPT_SSL_* features. .IP "\fBtls_cert_file\fR" File containing client's X509 certificate. .sp @@ -286,7 +294,7 @@ File containing the private key corresponding to \fBtls_cert_file\fR. .sp This parameter is available with Postfix 2.11 and later. .IP "\fBtls_CAfile\fR" -File containing certificates for all of the X509 Certification +File containing X509 certificates for all of the Certification Authorities the client will recognize. Takes precedence over \fBtls_CApath\fR. .sp diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 04bba9d91..3237a6c2a 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -154,12 +154,10 @@ Examples: .PP .nf .na -.ft C address_verify_map = hash:/var/lib/postfix/verify address_verify_map = btree:/var/lib/postfix/verify .fi .ad -.ft R .PP This feature is available in Postfix 2.1 and later. .SH address_verify_negative_cache (default: yes) @@ -217,14 +215,12 @@ Examples: .PP .nf .na -.ft C # Postfix <= 2.6 default address_verify_poll_count = 3 # Poor man's greylisting address_verify_poll_count = 1 .fi .ad -.ft R .PP This feature is available in Postfix 2.1 and later. .SH address_verify_poll_delay (default: 3s) @@ -285,12 +281,10 @@ Examples: .PP .nf .na -.ft C address_verify_sender = <> address_verify_sender = postmaster@mydomain .fi .ad -.ft R .PP This feature is available in Postfix 2.1 and later. .SH address_verify_sender_dependent_default_transport_maps (default: $sender_dependent_default_transport_maps) @@ -351,12 +345,10 @@ Examples: .PP .nf .na -.ft C alias_database = hash:/etc/aliases alias_database = hash:/etc/mail/aliases .fi .ad -.ft R .SH alias_maps (default: see "postconf \-d" output) Optional lookup tables that are searched only with an email address localpart (no domain) and that apply only to \fBlocal\fR(8) recipients; @@ -392,12 +384,10 @@ Examples: .PP .nf .na -.ft C alias_maps = hash:/etc/aliases, nis:mail.aliases alias_maps = hash:/etc/aliases .fi .ad -.ft R .SH allow_mail_to_commands (default: alias, forward) Restrict \fBlocal\fR(8) mail delivery to external commands. The default is to disallow delivery to "|command" in :include: files (see @@ -411,11 +401,9 @@ Example: .PP .nf .na -.ft C allow_mail_to_commands = alias,forward,include .fi .ad -.ft R .SH allow_mail_to_files (default: alias, forward) Restrict \fBlocal\fR(8) mail delivery to external files. The default is to disallow "/file/name" destinations in :include: files (see @@ -429,11 +417,9 @@ Example: .PP .nf .na -.ft C allow_mail_to_files = alias,forward,include .fi .ad -.ft R .SH allow_min_user (default: no) Allow a sender or recipient address to have `\-' as the first character. By @@ -470,11 +456,9 @@ Example: .PP .nf .na -.ft C allow_percent_hack = no .fi .ad -.ft R .SH allow_srv_lookup_fallback (default: no) When SRV record lookup fails or no SRV record exists, fall back to MX or IP address lookup as if SRV record lookup was not enabled. @@ -677,11 +661,9 @@ Example: .PP .nf .na -.ft C authorized_submit_users = !www, static:all .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH authorized_verp_clients (default: $mynetworks) @@ -879,12 +861,10 @@ Examples: .PP .nf .na -.ft C canonical_maps = dbm:/etc/postfix/canonical canonical_maps = hash:/etc/postfix/canonical .fi .ad -.ft R .SH cleanup_replace_stray_cr_lf (default: yes) Replace each stray or character in message content with a space character, to prevent outbound SMTP smuggling, @@ -998,7 +978,6 @@ message when a backwards\-compatible default setting is required. .in +4 .nf .na -.ft C using backwards\-compatible default setting \fIname=value\fR to [accept a specific client request] .sp @@ -1006,7 +985,6 @@ using backwards\-compatible default setting \fIname=value\fR to [enable specific Postfix behavior] .fi .ad -.ft R .in -4 .PP See COMPATIBILITY_README for specific message details. If such @@ -1017,12 +995,10 @@ permanent in main.cf or master.cf, for example: .in +4 .nf .na -.ft C # \fBpostconf\fR \fIname=value\fR # \fBpostfix reload\fR .fi .ad -.ft R .in -4 .PP When no more backwards\-compatible settings need to be made @@ -1032,12 +1008,10 @@ by updating the compatibility_level setting in main.cf: .in +4 .nf .na -.ft C # \fBpostconf compatibility_level=\fIN\fR\fR # \fBpostfix reload\fR .fi .ad -.ft R .in -4 .PP For \fIN\fR specify the number that is logged in your \fBpostfix\fR(1) @@ -1046,12 +1020,10 @@ warning message: .in +4 .nf .na -.ft C warning: To disable backwards compatibility use "postconf compatibility_level=\fIN\fR" and "postfix reload" .fi .ad -.ft R .in -4 .PP Starting with Postfix version 3.6, the compatibility level in @@ -1213,12 +1185,10 @@ Examples: .PP .nf .na -.ft C debug_peer_list = 127.0.0.1 debug_peer_list = example.com .fi .ad -.ft R .SH debugger_command (default: empty) The external command to execute when a Postfix daemon program is invoked with the \-D option. @@ -1235,13 +1205,11 @@ Example: .PP .nf .na -.ft C debugger_command = PATH=/usr/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 .fi .ad -.ft R .SH default_database_type (default: see "postconf \-d" output) The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1) and \fBpostmap\fR(1) commands. On many UNIX systems the default type is @@ -1252,12 +1220,10 @@ Examples: .PP .nf .na -.ft C default_database_type = hash default_database_type = dbm .fi .ad -.ft R .SH default_delivery_slot_cost (default: 5) How often the Postfix queue manager's scheduler is allowed to preempt delivery of one message with another. @@ -1293,12 +1259,10 @@ Examples: .PP .nf .na -.ft C default_delivery_slot_cost = 0 default_delivery_slot_cost = 2 .fi .ad -.ft R .SH default_delivery_slot_discount (default: 50) The default value for transport\-specific _delivery_slot_discount settings. @@ -1369,18 +1333,15 @@ by overriding the first number in the enhanced status code. .in +4 .nf .na -.ft C /etc/postfix/main.cf: smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/smtp_dsn_filter: /^4(\e.\ed+\e.\ed+ TLS is required, but host \eS+ refused to start TLS: .+)/ 5$1 @@ -1393,7 +1354,6 @@ by overriding the first number in the enhanced status code. # 4.\ed+.\ed+ Cannot start TLS: handshake failure .fi .ad -.ft R .in -4 .PP Example 2: censor the per\-recipient delivery status text so @@ -1403,24 +1363,20 @@ when a remote sender requests confirmation of successful delivery. .in +4 .nf .na -.ft C /etc/postfix/main.cf: local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/local_dsn_filter: /^(2\eS+ delivered to file).+/ $1 /^(2\eS+ delivered to command).+/ $1 .fi .ad -.ft R .in -4 .PP Notes: @@ -1687,7 +1643,8 @@ reply. With Postfix version 2.3 and later this information may be followed by an RFC 3463 enhanced status code. .br .IP "\fB$rbl_domain\fR" -The RBL domain where $rbl_what is denylisted. +The RBL domain (without any \fI=address\-filter\fR) where +$rbl_what is denylisted. .br .IP "\fB$rbl_reason\fR" The reason why $rbl_what is denylisted, or an empty string. @@ -1811,11 +1768,9 @@ Example: .PP .nf .na -.ft C default_transport = uucp:relayhostname .fi .ad -.ft R .SH default_transport_rate_delay (default: 0s) The default amount of delay that is inserted between individual message deliveries over the same message delivery transport, @@ -1831,12 +1786,10 @@ per minute. .PP .nf .na -.ft C /etc/postfix/main.cf: smtp_transport_rate_delay = 20s .fi .ad -.ft R .PP To enable the delay, specify a non\-zero time value (an integral value plus an optional one\-letter suffix that specifies the time @@ -1877,11 +1830,9 @@ Example: .PP .nf .na -.ft C defer_transports = smtp .fi .ad -.ft R .SH delay_logging_resolution_limit (default: 2) The maximal number of digits after the decimal point when logging sub\-second delay values. Specify a number in the range 0..6. @@ -1989,11 +1940,9 @@ Example: .PP .nf .na -.ft C disable_vrfy_command = no .fi .ad -.ft R .SH dns_ncache_ttl_fix_enable (default: no) Enable a workaround for future libc incompatibility. The Postfix implementation of RFC 2308 negative reply caching relies on the @@ -2038,13 +1987,11 @@ Example: .PP .nf .na -.ft C warning: DNSSEC validation may be unavailable warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated warning: reason: dnssec_probe 'ns:.' received no response: Server failure .fi .ad -.ft R .PP Possible reasons why DNSSEC validation may be unavailable: .IP \(bu @@ -2178,13 +2125,11 @@ are required to convert long queue file names into short names: .PP .nf .na -.ft C # postfix stop # postconf enable_long_queue_ids=no # postsuper .fi .ad -.ft R .PP Repeat the postsuper command until it reports no more queue file name changes. @@ -2280,11 +2225,9 @@ Example: .PP .nf .na -.ft C export_environment = TZ PATH=/bin:/usr/bin .fi .ad -.ft R .SH extract_recipient_limit (default: 10240) The maximal number of recipient addresses that Postfix will extract from message headers when mail is submitted with "\fBsendmail \-t\fR". @@ -2476,14 +2419,12 @@ Examples: .PP .nf .na -.ft C forward_path = /var/forward/$user forward_path = /var/forward/$user/.forward$recipient_delimiter$extension, /var/forward/$user/.forward .fi .ad -.ft R .SH frozen_delivered_to (default: yes) Update the \fBlocal\fR(8) delivery agent's idea of the Delivered\-To: address (see prepend_delivered_header) only once, at the start of @@ -2592,12 +2533,10 @@ Examples: .PP .nf .na -.ft C home_mailbox = Mailbox home_mailbox = Maildir/ .fi .ad -.ft R .SH hopcount_limit (default: 50) The maximal number of Received: message headers that is allowed in the primary message headers. A message that exceeds the limit @@ -2730,7 +2669,6 @@ Examples: .PP .nf .na -.ft C inet_interfaces = all (DEFAULT) inet_interfaces = loopback\-only (Postfix version 2.2 and later) inet_interfaces = 127.0.0.1 @@ -2738,7 +2676,6 @@ inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later) inet_interfaces = 192.168.1.2, 127.0.0.1 .fi .ad -.ft R .SH inet_protocols (default: see 'postconf \-d' output) The Internet protocols Postfix will attempt to use when making or accepting connections. Specify one or more of "ipv4" @@ -2782,14 +2719,12 @@ Examples: .PP .nf .na -.ft C inet_protocols = ipv4 inet_protocols = all (DEFAULT) inet_protocols = ipv6 inet_protocols = ipv4, ipv6 .fi .ad -.ft R .SH info_log_address_format (default: external) The email address form that will be used in non\-debug logging (info, warning, etc.). As of Postfix 3.5 when an address localpart @@ -2799,11 +2734,9 @@ quoted, for example: .in +4 .nf .na -.ft C from=<"name with spaces"@example.com> .fi .ad -.ft R .in -4 .PP Older Postfix versions would log the internal (unquoted) form: @@ -2811,11 +2744,9 @@ Older Postfix versions would log the internal (unquoted) form: .in +4 .nf .na -.ft C from= .fi .ad -.ft R .in -4 .PP The external and internal forms are identical for the vast @@ -3024,11 +2955,9 @@ Example: .PP .nf .na -.ft C lmtp_connect_timeout = 30s .fi .ad -.ft R .SH lmtp_connection_cache_destinations (default: empty) The LMTP\-specific version of the smtp_connection_cache_destinations configuration parameter. See there for details. @@ -3200,12 +3129,10 @@ client, for example: .in +4 .nf .na -.ft C /etc/postfix/master.cf: mylmtp ... lmtp \-o lmtp_lhlo_name=foo.bar.com .fi .ad -.ft R .in -4 .PP This feature is available in Postfix 2.3 and later. @@ -3389,11 +3316,9 @@ Example: .PP .nf .na -.ft C lmtp_sasl_security_options = noplaintext .fi .ad -.ft R .SH lmtp_sasl_tls_security_options (default: $lmtp_sasl_security_options) The LMTP\-specific version of the smtp_sasl_tls_security_options configuration parameter. See there for details. @@ -3665,12 +3590,10 @@ Example: .PP .nf .na -.ft C local_command_shell = /some/where/smrsh \-c local_command_shell = /bin/bash \-c .fi .ad -.ft R .SH local_delivery_status_filter (default: $default_delivery_status_filter) Optional filter for the \fBlocal\fR(8) delivery agent to change the status code or explanatory text of successful or unsuccessful @@ -3769,11 +3692,9 @@ header addresses. .in +4 .nf .na -.ft C local_header_rewrite_clients = static:all .fi .ad -.ft R .in -4 .PP The purist (and default) setting: rewrite headers only in mail @@ -3782,11 +3703,9 @@ from Postfix sendmail and in SMTP mail from this machine. .in +4 .nf .na -.ft C local_header_rewrite_clients = permit_inet_interfaces .fi .ad -.ft R .in -4 .PP The intermediate setting: rewrite header addresses and append @@ -3800,13 +3719,11 @@ system. .in +4 .nf .na -.ft C local_header_rewrite_clients = permit_mynetworks, permit_sasl_authenticated permit_tls_clientcerts check_address_map hash:/etc/postfix/pop\-before\-smtp .fi .ad -.ft R .in -4 .SH local_login_sender_maps (default: static:*) A list of lookup tables that are searched by the UNIX login name, @@ -3843,7 +3760,6 @@ Examples: .PP .nf .na -.ft C /etc/postfix/main.cf: # Allow root and postfix full control, anyone else can only # send mail as themselves. Use "uid:" followed by the numerical @@ -3853,17 +3769,14 @@ Examples: pcre:/etc/postfix/login_senders .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/login_senders: # Allow both the bare username and the user@domain forms. /(.+)/ $1 $1@example.com .fi .ad -.ft R .PP This feature is available in Postfix 3.6 and later. .SH local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps) @@ -3909,11 +3822,9 @@ Examples: .PP .nf .na -.ft C local_recipient_maps = .fi .ad -.ft R .SH local_transport (default: local:$myhostname) The default mail delivery transport and next\-hop destination for final delivery to domains listed with mydestination, and for @@ -3993,13 +3904,11 @@ Examples: .PP .nf .na -.ft C luser_relay = $user@other.host luser_relay = $local@other.host luser_relay = admin+$local .fi .ad -.ft R .SH mail_name (default: Postfix) The mail system name that is displayed in Received: headers, in the SMTP greeting banner, and in bounced mail. @@ -4030,12 +3939,10 @@ Examples: .PP .nf .na -.ft C mail_spool_directory = /var/mail mail_spool_directory = /var/spool/mail .fi .ad -.ft R .SH mail_version (default: see "postconf \-d" output) The version of the mail system. Stable releases are named \fImajor\fR.\fIminor\fR.\fIpatchlevel\fR. Experimental releases @@ -4135,14 +4042,12 @@ Examples: .PP .nf .na -.ft C mailbox_command = /some/where/procmail mailbox_command = /some/where/procmail \-a "$EXTENSION" mailbox_command = /some/where/maildrop \-d "$USER" \-f "$SENDER" "$EXTENSION" .fi .ad -.ft R .SH mailbox_command_maps (default: empty) Optional lookup tables with per\-recipient external commands to use for \fBlocal\fR(8) mailbox delivery. Behavior is as with mailbox_command. @@ -4280,11 +4185,9 @@ first match. Thus, .in +4 .nf .na -.ft C masquerade_domains = foo.example.com example.com .fi .ad -.ft R .in -4 .PP strips "user@any.thing.foo.example.com" to "user@foo.example.com", @@ -4296,11 +4199,9 @@ or its subdomains. Thus, .in +4 .nf .na -.ft C masquerade_domains = !foo.example.com example.com .fi .ad -.ft R .in -4 .PP does not change "user@any.thing.foo.example.com" or "user@foo.example.com", @@ -4325,11 +4226,9 @@ Example: .PP .nf .na -.ft C masquerade_domains = $mydomain .fi .ad -.ft R .SH masquerade_exceptions (default: empty) Optional list of user names that are not subjected to address masquerading, even when their addresses match $masquerade_domains. @@ -4350,12 +4249,10 @@ Examples: .PP .nf .na -.ft C masquerade_exceptions = root, mailer\-daemon masquerade_exceptions = root .fi .ad -.ft R .SH master_service_disable (default: empty) Selectively disable \fBmaster\fR(8) listener ports by service type or by service name and type. Specify a list of service types @@ -4373,7 +4270,6 @@ Examples: .PP .nf .na -.ft C # With Postfix 2.6..2.10 use '.' instead of '/'. # Turn on all \fBmaster\fR(8) listener ports (the default). master_service_disable = @@ -4385,7 +4281,6 @@ master_service_disable = inet master_service_disable = !foo/inet, inet .fi .ad -.ft R .PP This feature is available in Postfix 2.6 and later. .SH max_idle (default: 100s) @@ -4452,11 +4347,9 @@ Example: .PP .nf .na -.ft C message_reject_characters = \e0 .fi .ad -.ft R .PP This feature is available in Postfix 2.3 and later. .SH message_size_limit (default: 10240000) @@ -4484,11 +4377,9 @@ Example: .PP .nf .na -.ft C message_strip_characters = \e0 .fi .ad -.ft R .PP This feature is available in Postfix 2.3 and later. .SH meta_directory (default: see 'postconf \-d' output) @@ -4593,21 +4484,17 @@ by default. .PP .nf .na -.ft C /etc/postfix/main.cf: milter_header_checks = pcre:/etc/postfix/milter_header_checks .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/milter_header_checks: /^X\-SPAM\-FLAG:\es+YES/ FILTER mysmtp:sanitizer.example.com:25 .fi .ad -.ft R .PP The milter_header_checks mechanism could also be used for allowlisting. For example it could be used to skip heavy content @@ -4832,12 +4719,10 @@ Examples: .PP .nf .na -.ft C mydestination = $myhostname, localhost.$mydomain $mydomain mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain .fi .ad -.ft R .SH mydomain (default: see "postconf \-d" output) The internet domain name of this mail system. The default is to use $myhostname minus the first component, or "localdomain" (Postfix @@ -4848,11 +4733,9 @@ Example: .PP .nf .na -.ft C mydomain = domain.tld .fi .ad -.ft R .SH myhostname (default: see "postconf \-d" output) The internet hostname of this mail system. The default is to use the fully\-qualified domain name (FQDN) from gethostname(), or to @@ -4864,11 +4747,9 @@ Example: .PP .nf .na -.ft C myhostname = host.example.com .fi .ad -.ft R .SH mynetworks (default: see "postconf \-d" output) The list of "trusted" remote SMTP clients that have more privileges than "strangers". @@ -4916,7 +4797,6 @@ Examples: .PP .nf .na -.ft C mynetworks = 127.0.0.0/8 168.100.189.0/28 mynetworks = !192.168.0.1, 192.168.0.0/28 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64 @@ -4925,7 +4805,6 @@ mynetworks = hash:/etc/postfix/network_table mynetworks = cidr:/etc/postfix/network_table.cidr .fi .ad -.ft R .SH mynetworks_style (default: Postfix >= 3.0: host, Postfix < 3.0: subnet) The method to generate the default value for the mynetworks parameter. This is the list of trusted networks for relay access control etc. @@ -4957,11 +4836,9 @@ Example: .PP .nf .na -.ft C myorigin = $mydomain .fi .ad -.ft R .SH nested_header_checks (default: $header_checks) Optional lookup tables for content inspection of non\-MIME message headers in attached messages, as described in the \fBheader_checks\fR(5) @@ -5053,12 +4930,10 @@ Examples: .PP .nf .na -.ft C notify_classes = bounce, delay, policy, protocol, resource, software notify_classes = 2bounce, resource, software .fi .ad -.ft R .SH openssl_path (default: openssl) The location of the OpenSSL command line program \fBopenssl\fR(1). This is used by the "\fBpostfix tls\fR" command to create private keys, @@ -5072,7 +4947,6 @@ Example: .in +4 .nf .na -.ft C /etc/postfix/main.cf: # NetBSD pkgsrc: openssl_path = /usr/pkg/bin/openssl @@ -5080,7 +4954,6 @@ Example: openssl_path = /usr/local/bin/openssl .fi .ad -.ft R .in -4 .PP This feature is available in Postfix 3.1 and later. @@ -5234,7 +5107,6 @@ Example: .PP .nf .na -.ft C /etc/postfix/main.cf: postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr @@ -5242,11 +5114,9 @@ Example: postscreen_denylist_action = enforce .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/postscreen_access.cidr: # Rules are evaluated in the order as specified. # Denylist 192.168.* except 192.168.0.1. @@ -5254,7 +5124,6 @@ Example: 192.168.0.0/16 reject .fi .ad -.ft R .PP This feature is available in Postfix 2.8. .SH postscreen_allowlist_interfaces (default: static:all) @@ -5297,14 +5166,12 @@ Example: .PP .nf .na -.ft C /etc/postfix/main.cf: # Don't allowlist connections to the backup IP address. # Postfix < 3.6 use postscreen_whitelist_interfaces. postscreen_allowlist_interfaces = !168.100.189.8, static:all .fi .ad -.ft R .PP This feature is available in Postfix 3.6 and later. .PP @@ -5554,25 +5421,21 @@ Example: .PP .nf .na -.ft C /etc/postfix/main.cf: postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/dnsbl_reply: secret.zen.spamhaus.org zen.spamhaus.org .fi .ad -.ft R .PP NOTE: This feature differs from the Postfix SMTP server's rbl_reply_maps feature, where 1) the table search key includes the -optional "\fI=address\fR" filter, and where 2) the lookup result +optional "\fI=address\-filter\fR", and where 2) the lookup result contains free text with \fI$name\fR variables. .PP This feature is available in Postfix 2.8. @@ -5620,22 +5483,18 @@ block mail with example.net and example.org only when both agree: .PP .nf .na -.ft C postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = example.com*2, example.net, example.org .fi .ad -.ft R .PP To filter only DNSBL replies containing 127.0.0.4: .PP .nf .na -.ft C postscreen_dnsbl_sites = example.com=127.0.0.4 .fi .ad -.ft R .PP This feature is available in Postfix 2.8. .SH postscreen_dnsbl_threshold (default: 1) @@ -5930,11 +5789,9 @@ Example: .PP .nf .na -.ft C prepend_delivered_header = forward .fi .ad -.ft R .SH process_id (read\-only) The process ID of a Postfix command or daemon process. .SH process_id_directory (default: pid) @@ -5966,13 +5823,11 @@ Examples: .PP .nf .na -.ft C propagate_unmatched_extensions = canonical, virtual, alias, forward, include propagate_unmatched_extensions = canonical, virtual .fi .ad -.ft R .SH proxy_interfaces (default: empty) The remote network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. @@ -5987,11 +5842,9 @@ Example: .PP .nf .na -.ft C proxy_interfaces = 1.2.3.4 .fi .ad -.ft R .SH proxy_read_maps (default: see "postconf \-d" output) The lookup tables that the \fBproxymap\fR(8) server is allowed to access for the read\-only service. @@ -6098,11 +5951,9 @@ Example: .PP .nf .na -.ft C qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24 .fi .ad -.ft R .SH qmqpd_client_port_logging (default: no) Enable logging of the remote QMQP client port in addition to the hostname and IP address. The logging format is "host[address]:port". @@ -6167,7 +6018,10 @@ This feature is available in Postfix 2.0 and later. .SH rbl_reply_maps (default: empty) Optional lookup tables with RBL or RHSBL response templates. The table search key is the reject_rbl_* or reject_rhsbl_* argument, -including any optional "\fI=address\-pattern\fR" filter. +including any optional "\fI=address\-filter\fR". With Postfix 3.10 +and later, if the result is "not found" and the search key has the +form \fIdomain=address\-filter\fR, then rbl_reply_maps will also +search with the \fIdomain\fR. .PP By default, Postfix uses the template as specified with the default_rbl_reply configuration @@ -6178,7 +6032,6 @@ Example: .PP .nf .na -.ft C /etc/postfix/main.cf: rbl_reply_maps = hash:/etc/postfix/rbl_reply smtpd_recipient_restrictions = @@ -6192,19 +6045,26 @@ Example: # variables. \fIsecret\fR.zen.dq.spamhaus.net=127.0.0.[2..11] 554 $rbl_class $rbl_what blocked using ZEN \- see https://www.spamhaus.org/query/ip/$client_address for details +.fi +.ad +.PP +.nf +.na + # Postfix >= 3.10: if a search key \fIdomain=address\-filter\fR + # is not found, then rbl_reply_maps will also search with the + # \fIdomain\fR. \fIsecret\fR.zen.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using ZEN \- see https://www.spamhaus.org/query/ip/$client_address for details .fi .ad -.ft R .PP NOTE: This feature differs from postscreen_dnsbl_reply_map where -the table search key is a domain name (no "\fI=address\fR" filter, -no "\fI*weight\fR" factor) and where the lookup result should be -a domain name (no free text, no \fI$name\fR variables). +the table search key is only a domain name (no "\fI=address\-filter\fR", +no "\fI*weight\fR" factor) and where the lookup result +should be only a domain name (no free text, no \fI$name\fR variables). .PP This feature is available in Postfix 2.0 and later. -The "=address\-pattern" filter is available in Postfix 2.8 and later. +The "=address\-filter" feature is available in Postfix 2.8 and later. .SH readme_directory (default: see "postconf \-d" output) The location of Postfix README files that describe how to build, configure or operate a specific Postfix subsystem or feature. @@ -6247,13 +6107,11 @@ Examples: .PP .nf .na -.ft C receive_override_options = no_unknown_recipient_checks, no_header_body_checks receive_override_options = no_address_mappings .fi .ad -.ft R .PP This feature is available in Postfix 2.1 and later. .SH recipient_bcc_maps (default: empty) @@ -6300,11 +6158,9 @@ Example: .PP .nf .na -.ft C recipient_bcc_maps = hash:/etc/postfix/recipient_bcc .fi .ad -.ft R .PP After a change, run "\fBpostmap /etc/postfix/recipient_bcc\fR". .PP @@ -6329,11 +6185,9 @@ Example: .PP .nf .na -.ft C recipient_canonical_maps = hash:/etc/postfix/recipient_canonical .fi .ad -.ft R .SH recipient_delimiter (default: empty) The set of characters that can separate an email address localpart, user name, or a .forward file name from its extension. @@ -6371,32 +6225,26 @@ Examples: .PP .nf .na -.ft C # Handle Postfix\-style extensions. recipient_delimiter = + .fi .ad -.ft R .PP .nf .na -.ft C # Handle both Postfix and qmail extensions (Postfix 2.11 and later). recipient_delimiter = +\- .fi .ad -.ft R .PP .nf .na -.ft C # Use .forward for mail without address extension, and for mail with # an unrecognized address extension. forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward .fi .ad -.ft R .SH reject_code (default: 554) The numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "reject" restriction. @@ -6441,11 +6289,9 @@ Example: .PP .nf .na -.ft C relay_clientcerts = hash:/etc/postfix/relay_clientcerts .fi .ad -.ft R .PP For more fine\-grained control, use check_ccert_access to select an appropriate \fBaccess\fR(5) policy for each client. @@ -6529,11 +6375,9 @@ Example: .PP .nf .na -.ft C relay_recipient_maps = hash:/etc/postfix/relay_recipients .fi .ad -.ft R .PP This feature is available in Postfix 2.0 and later. .SH relay_transport (default: relay) @@ -6607,14 +6451,12 @@ Examples: .PP .nf .na -.ft C relayhost = $mydomain relayhost = [gateway.example.com] relayhost = mail1.example:587, mail2.example:587 relayhost = [an.ip.add.ress] .fi .ad -.ft R .SH relocated_maps (default: empty) Optional lookup tables with new contact information for users or domains that no longer exist. The table format and lookups are @@ -6632,12 +6474,10 @@ Examples: .PP .nf .na -.ft C relocated_maps = dbm:/etc/postfix/relocated relocated_maps = hash:/etc/postfix/relocated .fi .ad -.ft R .SH remote_header_rewrite_domain (default: empty) Rewrite or add message headers in mail from remote clients if the remote_header_rewrite_domain parameter value is non\-empty, @@ -6657,11 +6497,9 @@ be confused with local addresses. .in +4 .nf .na -.ft C remote_header_rewrite_domain = domain.invalid .fi .ad -.ft R .in -4 .PP The default, purist, setting: don't rewrite headers from remote @@ -6670,11 +6508,9 @@ clients at all. .in +4 .nf .na -.ft C remote_header_rewrite_domain = .fi .ad -.ft R .in -4 .SH require_home_directory (default: no) Require that a \fBlocal\fR(8) recipient's home directory exists @@ -6835,11 +6671,9 @@ Example: .PP .nf .na -.ft C sender_bcc_maps = hash:/etc/postfix/sender_bcc .fi .ad -.ft R .PP After a change, run "\fBpostmap /etc/postfix/sender_bcc\fR". .PP @@ -6867,11 +6701,9 @@ Example: .PP .nf .na -.ft C sender_canonical_maps = hash:/etc/postfix/sender_canonical .fi .ad -.ft R .SH sender_dependent_default_transport_maps (default: empty) A sender\-dependent override for the global default_transport parameter setting. The tables are searched by the envelope sender @@ -6975,7 +6807,6 @@ Example master.cf entries: .PP .nf .na -.ft C # Distinguish inbound MTA logging from submission and smtps logging. smtp inet n \- n \- \- smtpd submission inet n \- n \- \- smtpd @@ -6984,18 +6815,15 @@ smtps inet n \- n \- \- smtpd \-o syslog_name=postfix/$service_name .fi .ad -.ft R .PP .nf .na -.ft C # Distinguish outbound MTA logging from inbound relay logging. smtp unix \- \- n \- \- smtp relay unix \- \- n \- \- smtp \-o syslog_name=postfix/$service_name .fi .ad -.ft R .PP This feature is available in Postfix 3.3 and later. .SH service_throttle_time (default: 60s) @@ -7085,23 +6913,19 @@ only IPv4. .in +4 .nf .na -.ft C /etc/postfix/main.cf: inet_protocols = all .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/master.cf smtp ...other fields... smtp \-o inet_protocols=ipv4 .fi .ad -.ft R .in -4 .br .PP @@ -7116,30 +6940,25 @@ transport_maps to apply this feature selectively: .in +4 .nf .na -.ft C /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transport .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/transport: smtp\-domain\-that\-verifies\-after\-data smtp\-data\-target: lmtp\-domain\-that\-verifies\-after\-data lmtp\-data\-target: .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/master.cf: smtp\-data\-target unix \- \- n \- \- smtp \-o smtp_address_verify_target=data @@ -7147,7 +6966,6 @@ transport_maps to apply this feature selectively: \-o lmtp_address_verify_target=data .fi .ad -.ft R .in -4 .PP Unselective use of the "data" target does no harm, but will @@ -7184,12 +7002,10 @@ for example: .in +4 .nf .na -.ft C /etc/postfix/master.cf: smtp ... smtp \-o smtp_bind_address=11.22.33.44 .fi .ad -.ft R .in -4 .PP See smtp_bind_address_enforce for how Postfix should handle @@ -7216,12 +7032,10 @@ for example: .in +4 .nf .na -.ft C /etc/postfix/master.cf: smtp ... smtp \-o smtp_bind_address6=1:2:3:4:5:6:7:8 .fi .ad -.ft R .in -4 .PP See smtp_bind_address_enforce for how Postfix should handle @@ -7475,11 +7289,9 @@ to the following form: .PP .nf .na -.ft C \fIname ttl class type preference value\fR .fi .ad -.ft R .PP The \fIclass\fR field is always "IN", the \fIpreference\fR field exists only for MX records, the names of hosts, domains, etc. @@ -7521,23 +7333,19 @@ with valid PTR etc. records. .PP .nf .na -.ft C /etc/postfix/main.cf: smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/smtp_dns_reply_filter: # /domain ttl IN AAAA address/ action, all case\-insensitive. # Note: the domain name ends in ".". /^\eS+\e.google\e.com\e.\es+\eS+\es+\eS+\es+AAAA\es+/ IGNORE .fi .ad -.ft R .PP This feature is available in Postfix 3.0 and later. .SH smtp_dns_resolver_options (default: empty) @@ -7719,12 +7527,10 @@ client, for example: .in +4 .nf .na -.ft C /etc/postfix/master.cf: mysmtp ... smtp \-o smtp_helo_name=foo.bar.com .fi .ad -.ft R .in -4 .PP This feature is available in Postfix 2.0 and later. @@ -7940,12 +7746,10 @@ a broken SMTP server, configure a special SMTP client in master.cf: .in +4 .nf .na -.ft C /etc/postfix/master.cf: broken\-smtp . . . smtp \-o smtp_quote_rfc821_envelope=no .fi .ad -.ft R .in -4 .PP and route mail for the destination in question to the "broken\-smtp" @@ -7993,16 +7797,13 @@ Examples: .PP .nf .na -.ft C /etc/postfix/main.cf: smtp_reply_filter = pcre:/etc/postfix/reply_filter .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/reply_filter: # Transform garbage into "250\-filler..." so that it looks like # one line from a multi\-line reply. It does not matter what we @@ -8012,7 +7813,6 @@ Examples: !/^([2\-5][0\-9][0\-9]($|[\- ]))/ 250\-filler for garbage .fi .ad -.ft R .PP This feature is available in Postfix 2.7. .SH smtp_rset_timeout (default: 20s) @@ -8058,11 +7858,9 @@ Example: .PP .nf .na -.ft C smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache .fi .ad -.ft R .PP This feature is available in Postfix 2.5 and later. .SH smtp_sasl_auth_cache_time (default: 90d) @@ -8083,11 +7881,9 @@ Example: .PP .nf .na -.ft C smtp_sasl_auth_enable = yes .fi .ad -.ft R .SH smtp_sasl_auth_soft_bounce (default: yes) When a remote SMTP server rejects a SASL authentication request with a 535 reply code, defer mail delivery instead of returning @@ -8101,14 +7897,12 @@ Example: .PP .nf .na -.ft C # Default as of Postfix 2.5 smtp_sasl_auth_soft_bounce = yes # The old hard\-coded default smtp_sasl_auth_soft_bounce = no .fi .ad -.ft R .PP This feature is available in Postfix 2.5 and later. .SH smtp_sasl_mechanism_filter (default: empty) @@ -8131,13 +7925,11 @@ Examples: .PP .nf .na -.ft C smtp_sasl_mechanism_filter = plain, login smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs smtp_sasl_mechanism_filter = !gssapi, !login, static:rest .fi .ad -.ft R .SH smtp_sasl_password_maps (default: empty) Optional Postfix SMTP client lookup tables with one username:password entry per sender, remote hostname or next\-hop domain. Per\-sender @@ -8200,11 +7992,9 @@ Example: .PP .nf .na -.ft C smtp_sasl_security_options = noplaintext .fi .ad -.ft R .SH smtp_sasl_tls_security_options (default: $smtp_sasl_security_options) The SASL authentication security options that the Postfix SMTP client uses for TLS encrypted SMTP sessions. @@ -8320,11 +8110,9 @@ Example: .PP .nf .na -.ft C smtp_tls_CAfile = /etc/postfix/CAcert.pem .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtp_tls_CApath (default: empty) @@ -8347,11 +8135,9 @@ Example: .PP .nf .na -.ft C smtp_tls_CApath = /etc/postfix/certs .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtp_tls_block_early_mail_reply (default: no) @@ -8378,7 +8164,6 @@ well without them. The recommended setting is to let the defaults stand: .in +4 .nf .na -.ft C smtp_tls_cert_file = smtp_tls_key_file = smtp_tls_eccert_file = @@ -8390,7 +8175,6 @@ smtp_tls_dkey_file = smtp_tls_chain_files = .fi .ad -.ft R .in -4 .PP The best way to use the default settings is to comment out the above @@ -8409,12 +8193,10 @@ As the "root" super\-user create the client.pem file with: .in +4 .nf .na -.ft C # \fBumask 077\fR # \fBcat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem \fR .fi .ad -.ft R .in -4 .PP If you also want to verify remote SMTP server certificates issued by @@ -8429,11 +8211,9 @@ Example: .PP .nf .na -.ft C smtp_tls_cert_file = /etc/postfix/chain.pem .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtp_tls_chain_files (default: empty) @@ -8485,7 +8265,6 @@ Example (separate files for each key and corresponding certificate chain): .in +4 .nf .na -.ft C /etc/postfix/main.cf: smtp_tls_chain_files = ${config_directory}/ed25519.pem, @@ -8493,13 +8272,11 @@ Example (separate files for each key and corresponding certificate chain): ${config_directory}/rsa.pem .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/ed25519.pem: \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3 @@ -8511,13 +8288,11 @@ Example (separate files for each key and corresponding certificate chain): \-\-\-\-\-END CERTIFICATE\-\-\-\-\- .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/ed448.pem: \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe @@ -8530,13 +8305,11 @@ Example (separate files for each key and corresponding certificate chain): \-\-\-\-\-END CERTIFICATE\-\-\-\-\- .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/rsa.pem: \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL @@ -8550,7 +8323,6 @@ Example (separate files for each key and corresponding certificate chain): \-\-\-\-\-END CERTIFICATE\-\-\-\-\- .fi .ad -.ft R .in -4 .PP Example (all keys and certificates in a single file): @@ -8558,18 +8330,15 @@ Example (all keys and certificates in a single file): .in +4 .nf .na -.ft C /etc/postfix/main.cf: smtp_tls_chain_files = ${config_directory}/chains.pem .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/chains.pem: \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3 @@ -8600,7 +8369,6 @@ Example (all keys and certificates in a single file): \-\-\-\-\-END CERTIFICATE\-\-\-\-\- .fi .ad -.ft R .in -4 .PP This feature is available in Postfix 3.4 and later. @@ -8689,11 +8457,9 @@ Example: .PP .nf .na -.ft C smtp_tls_dcert_file = /etc/postfix/client\-dsa.pem .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtp_tls_dkey_file (default: $smtp_tls_dcert_file) @@ -8720,11 +8486,9 @@ Example: .PP .nf .na -.ft C smtp_tls_eccert_file = /etc/postfix/ecdsa\-ccert.pem .fi .ad -.ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is compiled and linked with OpenSSL 1.0.0 or later. @@ -8797,32 +8561,26 @@ Sample commands to compute certificate and public key SHA256 digests: .PP .nf .na -.ft C # SHA256 digest of the first certificate in "cert.pem" $ openssl x509 \-in cert.pem \-outform DER | openssl dgst \-sha256 \-c .fi .ad -.ft R .PP .nf .na -.ft C # SHA256 digest of the SPKI of the first certificate in "cert.pem" $ openssl x509 \-in cert.pem \-pubkey \-noout | openssl pkey \-pubin \-outform DER | openssl dgst \-sha256 \-c .fi .ad -.ft R .PP .nf .na -.ft C # SHA256 digest of the SPKI of the first private key in "pkey.pem" $ openssl pkey \-in pkey.pem \-pubout \-outform DER | openssl dgst \-sha256 \-c .fi .ad -.ft R .PP This feature is available in Postfix 3.9 and later. .SH smtp_tls_enforce_peername (default: yes) @@ -8855,7 +8613,6 @@ Examples (some of these will cause problems): .in +4 .nf .na -.ft C smtp_tls_exclude_ciphers = aNULL smtp_tls_exclude_ciphers = MD5, DES smtp_tls_exclude_ciphers = DES+MD5 @@ -8863,7 +8620,6 @@ smtp_tls_exclude_ciphers = AES256\-SHA, DES\-CBC3\-MD5 smtp_tls_exclude_ciphers = kEDH+aRSA .fi .ad -.ft R .in -4 .PP The first setting disables anonymous ciphers. The next setting @@ -8905,7 +8661,6 @@ another, and both keys are trusted just prior to the transition. .in +4 .nf .na -.ft C relayhost = [mailhub.example.com] smtp_tls_security_level = fingerprint smtp_tls_fingerprint_digest = sha256 @@ -8914,7 +8669,6 @@ smtp_tls_fingerprint_cert_match = dd:5c:ef:f5:c3:bc:64:25:36:...:99:36:06:ce:40:ef:de:2e:ad:a4 .fi .ad -.ft R .in -4 .PP Example: Certificate fingerprint verification with selected destinations. @@ -8923,26 +8677,22 @@ As in the example above, we show two matching fingerprints: .in +4 .nf .na -.ft C /etc/postfix/main.cf: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256 .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/tls_policy: example.com fingerprint match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76 match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f .fi .ad -.ft R .in -4 .PP This feature is available in Postfix 2.5 and later. @@ -8978,11 +8728,9 @@ specific digest algorithm, run: .in +4 .nf .na -.ft C $ openssl x509 \-noout \-fingerprint \-\fIdigest\fR \-in \fIcertfile\fR.pem .fi .ad -.ft R .in -4 .PP The text to the right of the "=" sign is the desired fingerprint. @@ -8991,12 +8739,10 @@ For example: .in +4 .nf .na -.ft C $ openssl x509 \-noout \-fingerprint \-sha256 \-in cert.pem SHA256 Fingerprint=D4:6A:AB:19:24:...:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A .fi .ad -.ft R .in -4 .PP To extract the public key fingerprint from an X.509 certificate, @@ -9014,7 +8760,6 @@ all key types. .in +4 .nf .na -.ft C # OpenSSL >= 1.0 with SHA\-256 fingerprints. $ openssl x509 \-in cert.pem \-noout \-pubkey | openssl pkey \-pubin \-outform DER | @@ -9022,7 +8767,6 @@ $ openssl x509 \-in cert.pem \-noout \-pubkey | (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:...:fc:09:1a:61:98:b5:bc:7c:60:58 .fi .ad -.ft R .in -4 .PP The Postfix SMTP server and client log the peer (leaf) certificate @@ -9058,11 +8802,9 @@ Example: .PP .nf .na -.ft C smtp_tls_key_file = $smtp_tls_cert_file .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtp_tls_loglevel (default: 0) @@ -9212,7 +8954,6 @@ Hexadecimal example (Postfix >= 3.6): .in +4 .nf .na -.ft C # Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported # in some future version of OpenSSL (presently a warning is logged). smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305 @@ -9220,7 +8961,6 @@ smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305 smtp_tls_mandatory_protocols = >=0x0303 .fi .ad -.ft R .in -4 .PP With Postfix < 3.6 there is no support for a minimum or maximum @@ -9238,11 +8978,9 @@ disables all versions above that higher version. Thus, for example: .in +4 .nf .na -.ft C smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1 .fi .ad -.ft R .in -4 .PP also disables any protocol versions higher than TLSv1.1 leaving @@ -9264,14 +9002,12 @@ TLS_README for more information about security levels. Example: .nf .na -.ft C # Preferred syntax with Postfix >= 3.6: smtp_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3 # Legacy syntax: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 .fi .ad -.ft R .PP This feature is available in Postfix 2.3 and later. .SH smtp_tls_note_starttls_offer (default: no) @@ -9282,11 +9018,9 @@ The logfile record looks like: .PP .nf .na -.ft C postfix/smtp[pid]: Host offered STARTTLS: [name.of.host] .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtp_tls_per_site (default: empty) @@ -9546,7 +9280,6 @@ Example: .PP .nf .na -.ft C /etc/postfix/main.cf: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy # Postfix 2.5 and later. @@ -9557,11 +9290,9 @@ Example: smtp_tls_fingerprint_digest = sha256 .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/tls_policy: example.edu none example.mil may @@ -9576,7 +9307,6 @@ Example: match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76 .fi .ad -.ft R .PP \fBNote:\fR The "hostname" strategy if listed in a non\-default setting of smtp_tls_secure_cert_match or in the "match" attribute @@ -9624,7 +9354,6 @@ Hexadecimal example (Postfix >= 3.6): .in +4 .nf .na -.ft C # Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported # in some future version of OpenSSL (presently a warning is logged). smtp_tls_protocols = >=TLSv1, <=0305 @@ -9632,7 +9361,6 @@ smtp_tls_protocols = >=TLSv1, <=0305 smtp_tls_protocols = >=0x0301 .fi .ad -.ft R .in -4 .PP With Postfix < 3.6 there is no support for a minimum or maximum @@ -9650,11 +9378,9 @@ versions above that higher version. Thus, for example: .in +4 .nf .na -.ft C smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1 .fi .ad -.ft R .in -4 also disables any protocols version higher than TLSv1.1 leaving only "TLSv1" enabled. @@ -9666,14 +9392,12 @@ releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2). Example: .nf .na -.ft C # Preferred syntax with Postfix >= 3.6: smtp_tls_protocols = >=TLSv1, <=TLSv1.3 # Legacy syntax: smtp_tls_protocols = !SSLv2, !SSLv3 .fi .ad -.ft R .PP This feature is available in Postfix 2.6 and later. .SH smtp_tls_scert_verifydepth (default: 9) @@ -9712,11 +9436,9 @@ Sample main.cf setting: .in +4 .nf .na -.ft C smtp_tls_secure_cert_match = nexthop .fi .ad -.ft R .in -4 .PP Sample policy table override: @@ -9724,12 +9446,10 @@ Sample policy table override: .in +4 .nf .na -.ft C example.net secure match=example.com:.example.com \&.example.net secure match=example.com:.example.com .fi .ad -.ft R .in -4 .PP This feature is available in Postfix 2.3 and later. @@ -9841,16 +9561,13 @@ Examples: .PP .nf .na -.ft C # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no. smtp_tls_security_level = none .fi .ad -.ft R .PP .nf .na -.ft C # Opportunistic TLS. smtp_tls_security_level = may # Do not tweak opportunistic ciphers or protocols unless it is essential @@ -9863,21 +9580,17 @@ smtp_tls_protocols = >=TLSv1 smtp_tls_protocols = !SSLv2, !SSLv3 .fi .ad -.ft R .PP .nf .na -.ft C # Mandatory (high\-grade) TLS encryption. smtp_tls_security_level = encrypt smtp_tls_mandatory_ciphers = high .fi .ad -.ft R .PP .nf .na -.ft C # Authenticated TLS 1.2 or better matching the nexthop domain or a # subdomain. smtp_tls_security_level = secure @@ -9886,11 +9599,9 @@ smtp_tls_mandatory_protocols = >=TLSv1.2 smtp_tls_secure_cert_match = nexthop, dot\-nexthop .fi .ad -.ft R .PP .nf .na -.ft C # Certificate fingerprint verification (Postfix >= 2.5). # The CA\-less "fingerprint" security level only scales to a limited # number of destinations. As a global default rather than a per\-site @@ -9905,7 +9616,6 @@ smtp_tls_fingerprint_cert_match = EC:3B:2D:B0:...:A3:9D:72:F6 .fi .ad -.ft R .PP This feature is available in Postfix 2.3 and later. .SH smtp_tls_servername (default: empty) @@ -9965,11 +9675,9 @@ Example: .PP .nf .na -.ft C smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtp_tls_session_cache_timeout (default: 3600s) @@ -10029,11 +9737,9 @@ containing a single certificate, as follows: .in +4 .nf .na -.ft C $ openssl x509 \-in cert.pem \-out ta\-key.pem \-noout \-pubkey .fi .ad -.ft R .in -4 .PP This feature is available in Postfix 2.11 and later. @@ -10094,22 +9800,18 @@ Sample main.cf setting: .PP .nf .na -.ft C smtp_tls_verify_cert_match = hostname, nexthop, dot\-nexthop .fi .ad -.ft R .PP Sample policy table override: .PP .nf .na -.ft C example.com verify match=hostname:nexthop \&.example.com verify match=example.com:.example.com:hostname .fi .ad -.ft R .PP This feature is available in Postfix 2.3 and later. .SH smtp_tls_wrappermode (default: no) @@ -10124,7 +9826,6 @@ Example: deliver all remote mail via a provider's server .PP .nf .na -.ft C /etc/postfix/main.cf: # Client\-side SMTPS requires "encrypt" or stronger. smtp_tls_security_level = encrypt @@ -10133,7 +9834,6 @@ Example: deliver all remote mail via a provider's server relayhost = [mail.example.com]:465 .fi .ad -.ft R .PP More examples are in TLS_README, including examples for older Postfix versions. @@ -10253,11 +9953,9 @@ Example: .PP .nf .na -.ft C smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) .fi .ad -.ft R .SH smtpd_client_auth_rate_limit (default: 0) The maximal number of AUTH commands that any client is allowed to send to this service per time unit, regardless of whether or not @@ -10303,11 +10001,9 @@ Example: .PP .nf .na -.ft C smtpd_client_connection_rate_limit = 1000 .fi .ad -.ft R .SH smtpd_client_event_limit_exceptions (default: $mynetworks) Clients that are excluded from smtpd_client_*_count/rate_limit restrictions. See the mynetworks parameter @@ -10363,11 +10059,9 @@ Example: .PP .nf .na -.ft C smtpd_client_message_rate_limit = 1000 .fi .ad -.ft R .SH smtpd_client_new_tls_session_rate_limit (default: 0) The maximal number of new (i.e., uncached) TLS sessions that a remote SMTP client is allowed to negotiate with this service per @@ -10390,11 +10084,9 @@ Example: .PP .nf .na -.ft C smtpd_client_new_tls_session_rate_limit = 100 .fi .ad -.ft R .SH smtpd_client_port_logging (default: no) Enable logging of the remote SMTP client port in addition to the hostname and IP address. The logging format is "host[address]:port". @@ -10420,11 +10112,9 @@ Example: .PP .nf .na -.ft C smtpd_client_recipient_rate_limit = 1000 .fi .ad -.ft R .SH smtpd_client_restrictions (default: empty) Optional restrictions that the Postfix SMTP server applies in the context of a client connection request. @@ -10773,14 +10463,12 @@ the next restriction in the list, if any. This may stop zombie mail when used as: .nf .na -.ft C /etc/postfix/main.cf: smtpd_client_restrictions = sleep 1, reject_unauth_pipelining smtpd_delay_reject = no .fi .ad -.ft R This feature is available in Postfix 2.3. .br .IP "\fBwarn_if_reject\fR" @@ -10810,11 +10498,9 @@ Example: .PP .nf .na -.ft C smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname .fi .ad -.ft R .SH smtpd_command_filter (default: empty) A mechanism to transform commands from remote SMTP clients. This is a last\-resort tool to work around client commands that break @@ -10847,62 +10533,50 @@ feature: .PP .nf .na -.ft C /etc/postfix/main.cf: smtpd_command_filter = pcre:/etc/postfix/command_filter .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/command_filter: # Work around clients that send malformed HELO commands. /^HELO\es*$/ HELO domain.invalid .fi .ad -.ft R .PP .nf .na -.ft C # Work around clients that send empty lines. /^\es*$/ NOOP .fi .ad -.ft R .PP .nf .na -.ft C # Work around clients that send RCPT TO:<'user@domain'>. # WARNING: do not lose the parameters that follow the address. /^(RCPT\es+TO:\es*<)'([^[:space:]]+)'(>.*)/ $1$2$3 .fi .ad -.ft R .PP .nf .na -.ft C # Append XVERP to MAIL FROM commands to request VERP\-style delivery. # See VERP_README for more information on how to use Postfix VERP. /^(MAIL\es+FROM:\es*.*)/ $1 XVERP .fi .ad -.ft R .PP .nf .na -.ft C # Bounce\-never mail sink. Use notify_classes=bounce,resource,software # to send bounced mail to the postmaster (with message body removed). /^(RCPT\es+TO:\es*<.*>.*)\es+NOTIFY=\eS+(.*)/ $1 NOTIFY=NEVER$2 /^(RCPT\es+TO:.*)/ $1 NOTIFY=NEVER .fi .ad -.ft R .PP This feature is available in Postfix 2.7. .SH smtpd_data_restrictions (default: empty) @@ -10938,12 +10612,10 @@ Examples: .PP .nf .na -.ft C smtpd_data_restrictions = reject_unauth_pipelining smtpd_data_restrictions = reject_multi_recipient_bounce .fi .ad -.ft R .SH smtpd_delay_open_until_valid_rcpt (default: yes) Postpone the start of an SMTP mail transaction until a valid RCPT TO command is received. Specify "no" to create a mail transaction @@ -11087,11 +10759,9 @@ Example: .PP .nf .na -.ft C smtpd_etrn_restrictions = permit_mynetworks, reject .fi .ad -.ft R .SH smtpd_expansion_filter (default: see "postconf \-d" output) What characters are allowed in $name expansions of RBL reply templates. Characters not in the allowed set are replaced by "_". @@ -11182,7 +10852,6 @@ Recommended settings: .in +4 .nf .na -.ft C # Require the standard End\-of\-DATA sequence .. # Otherwise, allow bare and process it as if the client sent # . @@ -11200,7 +10869,6 @@ smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks .fi .ad -.ft R .in -4 .PP Alternative: @@ -11208,7 +10876,6 @@ Alternative: .in +4 .nf .na -.ft C # Reject input lines that contain and log a "bare received" # error. Require that input lines end in , and require the # standard End\-of\-DATA sequence .. @@ -11238,7 +10905,6 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks # smtpd_discard_ehlo_keywords = chunking, silent\-discard .fi .ad -.ft R .in -4 .PP This feature with settings \fByes\fR and \fBno\fR is available @@ -11296,11 +10962,9 @@ Example: .PP .nf .na -.ft C smtpd_helo_required = yes .fi .ad -.ft R .SH smtpd_helo_restrictions (default: empty) Optional restrictions that the Postfix SMTP server applies in the context of a client HELO command. @@ -11431,12 +11095,10 @@ Examples: .PP .nf .na -.ft C smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname .fi .ad -.ft R .SH smtpd_history_flush_threshold (default: 100) The maximal number of lines in the Postfix SMTP server command history before it is flushed upon receipt of EHLO, RSET, or end of DATA. @@ -11468,23 +11130,19 @@ Examples: .PP .nf .na -.ft C /etc/postfix/main.cf: # Log all "permit" actions. smtpd_log_access_permit_actions = static:all .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/main.cf: # Log "permit_dnswl_client" only. smtpd_log_access_permit_actions = permit_dnswl_client .fi .ad -.ft R .PP This feature is available in Postfix 2.10 and later. .SH smtpd_milter_maps (default: empty) @@ -11500,17 +11158,14 @@ Example to disable Milters for local clients: .PP .nf .na -.ft C /etc/postfix/main.cf: smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map smtpd_milters = inet:host:port, { inet:host:port, ... }, ... .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/smtpd_milter_map: # Disable Milters for local clients. 127.0.0.0/8 DISABLE @@ -11519,7 +11174,6 @@ Example to disable Milters for local clients: 2001:db8::/32 DISABLE .fi .ad -.ft R .PP This feature is available in Postfix 3.2 and later. .SH smtpd_milters (default: empty) @@ -11762,21 +11416,17 @@ refuse to receive mail: .in +4 .nf .na -.ft C reject, reject_unauth_destination .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C defer, defer_if_permit, defer_unauth_destination .fi .ad -.ft R .in -4 .PP Specify a list of restrictions, separated by commas and/or whitespace. @@ -11953,13 +11603,11 @@ Example: .PP .nf .na -.ft C # The Postfix before 2.10 default mail relay policy. Later Postfix # versions implement this preferably with smtpd_relay_restrictions. smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination .fi .ad -.ft R .SH smtpd_reject_footer (default: empty) Optional information that is appended after each Postfix SMTP server @@ -11973,7 +11621,6 @@ is output literally. .PP .nf .na -.ft C /etc/postfix/main.cf: smtpd_reject_footer = \ec. For assistance, call 800\-555\-0101. Please provide the following information in your problem report: @@ -11981,20 +11628,17 @@ is output literally. ($server_name). .fi .ad -.ft R .PP Server response: .PP .nf .na -.ft C 550\-5.5.1 Recipient address rejected: User unknown. For assistance, call 800\-555\-0101. Please provide the following information in your problem report: time (Jan 4 15:42:00), client (192.168.1.248) and server (mail1.example.com). .fi .ad -.ft R .PP Note: the above text is meant to make it easier to find the Postfix logfile records for a failed SMTP session. The text itself @@ -12144,21 +11788,17 @@ refuse to receive mail: .in +4 .nf .na -.ft C reject, reject_unauth_destination .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C defer, defer_if_permit, defer_unauth_destination .fi .ad -.ft R .in -4 .PP Specify a list of restrictions, separated by commas and/or whitespace. @@ -12193,25 +11833,21 @@ access restriction can be used to permit relay access, like this: .in +4 .nf .na -.ft C # With Postfix 2.10 and later, the mail relay policy is # preferably specified under smtpd_relay_restrictions. smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, ... .fi .ad -.ft R .PP .nf .na -.ft C # With Postfix before 2.10, the relay policy can be # specified only under smtpd_recipient_restrictions. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, ... .fi .ad -.ft R .in -4 .PP To reject all SMTP connections from unauthenticated clients, @@ -12220,11 +11856,9 @@ specify "smtpd_delay_reject = yes" (which is the default) and use: .in +4 .nf .na -.ft C smtpd_client_restrictions = permit_sasl_authenticated, reject .fi .ad -.ft R .in -4 .PP See the SASL_README file for SASL configuration and operation details. @@ -12263,11 +11897,9 @@ Example: .PP .nf .na -.ft C smtpd_sasl_exceptions_networks = $mynetworks .fi .ad -.ft R .PP This feature is available in Postfix 2.1 and later. .SH smtpd_sasl_local_domain (default: empty) @@ -12280,12 +11912,10 @@ Examples: .PP .nf .na -.ft C smtpd_sasl_local_domain = $mydomain smtpd_sasl_local_domain = $myhostname .fi .ad -.ft R .SH smtpd_sasl_mechanism_filter (default: !external, static:rest) If non\-empty, a filter for the SASL mechanism names that the Postfix SMTP server will announce in the EHLO response. By default, @@ -12301,13 +11931,11 @@ Examples: .PP .nf .na -.ft C smtpd_sasl_mechanism_filter = !external, !gssapi, static:rest smtpd_sasl_mechanism_filter = login, plain smtpd_sasl_mechanism_filter = /etc/postfix/smtpd_mechs .fi .ad -.ft R .PP This feature is available in Postfix 3.6 and later. .SH smtpd_sasl_path (default: smtpd) @@ -12382,11 +12010,9 @@ Example: .PP .nf .na -.ft C smtpd_sasl_security_options = noanonymous, noplaintext .fi .ad -.ft R .SH smtpd_sasl_service (default: smtp) The service name that is passed to the SASL plug\-in that is selected with \fBsmtpd_sasl_type\fR and \fBsmtpd_sasl_path\fR. @@ -12602,13 +12228,11 @@ Examples: .PP .nf .na -.ft C smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_sender_restrictions = reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/access .fi .ad -.ft R .SH smtpd_service_name (default: smtpd) The internal service that \fBpostscreen\fR(8) hands off allowed connections to. In a future version there may be different @@ -12699,11 +12323,9 @@ Example: .PP .nf .na -.ft C smtpd_tls_CAfile = /etc/postfix/CAcert.pem .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtpd_tls_CApath (default: empty) @@ -12735,11 +12357,9 @@ Example: .PP .nf .na -.ft C smtpd_tls_CApath = /etc/postfix/certs .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtpd_tls_always_issue_session_ids (default: yes) @@ -12761,11 +12381,9 @@ Example: .PP .nf .na -.ft C smtpd_tls_always_issue_session_ids = no .fi .ad -.ft R .PP This feature is available in Postfix 2.3 and later. .SH smtpd_tls_ask_ccert (default: no) @@ -12859,11 +12477,9 @@ Example: .PP .nf .na -.ft C smtpd_tls_cert_file = /etc/postfix/server.pem .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtpd_tls_chain_files (default: empty) @@ -12921,7 +12537,6 @@ Example (separate files for each key and corresponding certificate chain): .in +4 .nf .na -.ft C /etc/postfix/main.cf: smtpd_tls_chain_files = ${config_directory}/ed25519.pem, @@ -12929,13 +12544,11 @@ Example (separate files for each key and corresponding certificate chain): ${config_directory}/rsa.pem .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/ed25519.pem: \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3 @@ -12947,13 +12560,11 @@ Example (separate files for each key and corresponding certificate chain): \-\-\-\-\-END CERTIFICATE\-\-\-\-\- .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/ed448.pem: \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe @@ -12966,13 +12577,11 @@ Example (separate files for each key and corresponding certificate chain): \-\-\-\-\-END CERTIFICATE\-\-\-\-\- .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/rsa.pem: \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL @@ -12986,7 +12595,6 @@ Example (separate files for each key and corresponding certificate chain): \-\-\-\-\-END CERTIFICATE\-\-\-\-\- .fi .ad -.ft R .in -4 .PP Example (all keys and certificates in a single file): @@ -12994,18 +12602,15 @@ Example (all keys and certificates in a single file): .in +4 .nf .na -.ft C /etc/postfix/main.cf: smtpd_tls_chain_files = ${config_directory}/chains.pem .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/chains.pem: \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3 @@ -13036,7 +12641,6 @@ Example (all keys and certificates in a single file): \-\-\-\-\-END CERTIFICATE\-\-\-\-\- .fi .ad -.ft R .in -4 .PP This feature is available in Postfix 3.4 and later. @@ -13080,11 +12684,9 @@ Example: .PP .nf .na -.ft C smtpd_tls_dcert_file = /etc/postfix/server\-dsa.pem .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtpd_tls_dh1024_param_file (default: empty) @@ -13113,7 +12715,6 @@ set of parameters with something like the following commands: .in +4 .nf .na -.ft C openssl dhparam \-out /etc/postfix/dh2048.pem 2048 openssl dhparam \-out /etc/postfix/dh1024.pem 1024 # As of Postfix 3.6, export\-grade 512\-bit DH parameters are no longer @@ -13121,7 +12722,6 @@ openssl dhparam \-out /etc/postfix/dh1024.pem 1024 openssl dhparam \-out /etc/postfix/dh512.pem 512 .fi .ad -.ft R .in -4 .PP It is safe to share the same DH parameters between multiple @@ -13140,11 +12740,9 @@ Example: .PP .nf .na -.ft C smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtpd_tls_dh512_param_file (default: empty) @@ -13163,11 +12761,9 @@ Example: .PP .nf .na -.ft C smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later, but is ignored in Postfix 3.6 and later. @@ -13195,11 +12791,9 @@ Example: .PP .nf .na -.ft C smtpd_tls_eccert_file = /etc/postfix/ecdsa\-scert.pem .fi .ad -.ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is compiled and linked with OpenSSL 1.0.0 or later. @@ -13284,32 +12878,26 @@ Sample commands to compute certificate and public key SHA256 digests: .PP .nf .na -.ft C # SHA256 digest of the first certificate in "cert.pem" $ openssl x509 \-in cert.pem \-outform DER | openssl dgst \-sha256 \-c .fi .ad -.ft R .PP .nf .na -.ft C # SHA256 digest of the SPKI of the first certificate in "cert.pem" $ openssl x509 \-in cert.pem \-pubkey \-noout | openssl pkey \-pubin \-outform DER | openssl dgst \-sha256 \-c .fi .ad -.ft R .PP .nf .na -.ft C # SHA256 digest of the SPKI of the first private key in "pkey.pem" $ openssl pkey \-in pkey.pem \-pubout \-outform DER | openssl dgst \-sha256 \-c .fi .ad -.ft R .PP This feature is available in Postfix 3.9 and later. .SH smtpd_tls_exclude_ciphers (default: empty) @@ -13326,7 +12914,6 @@ Examples (some of these will cause problems): .in +4 .nf .na -.ft C smtpd_tls_exclude_ciphers = aNULL smtpd_tls_exclude_ciphers = MD5, DES smtpd_tls_exclude_ciphers = DES+MD5 @@ -13334,7 +12921,6 @@ smtpd_tls_exclude_ciphers = AES256\-SHA, DES\-CBC3\-MD5 smtpd_tls_exclude_ciphers = kEDH+aRSA .fi .ad -.ft R .in -4 .PP The first setting disables anonymous ciphers. The next setting @@ -13370,11 +12956,9 @@ specific digest algorithm, run: .in +4 .nf .na -.ft C $ openssl x509 \-noout \-fingerprint \-\fIdigest\fR \-in \fIcertfile\fR.pem .fi .ad -.ft R .in -4 .PP The text to the right of "=" sign is the desired fingerprint. @@ -13383,12 +12967,10 @@ For example: .in +4 .nf .na -.ft C $ openssl x509 \-noout \-fingerprint \-sha256 \-in cert.pem SHA256 Fingerprint=D4:6A:AB:19:24:...:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A .fi .ad -.ft R .in -4 .PP To extract the public key fingerprint from an X.509 certificate, @@ -13404,14 +12986,12 @@ Example: .in +4 .nf .na -.ft C $ openssl x509 \-in cert.pem \-noout \-pubkey | openssl pkey \-pubin \-outform DER | openssl dgst \-sha256 \-c (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 .fi .ad -.ft R .in -4 .PP The Postfix SMTP server and client log the peer (leaf) certificate @@ -13423,7 +13003,6 @@ Example: client\-certificate access table, with sha256 fingerprints: .in +4 .nf .na -.ft C /etc/postfix/main.cf: smtpd_tls_fingerprint_digest = sha256 smtpd_client_restrictions = @@ -13431,10 +13010,8 @@ Example: client\-certificate access table, with sha256 fingerprints: reject .fi .ad -.ft R .nf .na -.ft C /etc/postfix/access: # Action folded to next line... AF:88:7C:AD:51:95:6F:36:96:...:01:FB:2E:48:CD:AB:49:25:A2:3B @@ -13443,7 +13020,6 @@ Example: client\-certificate access table, with sha256 fingerprints: permit_auth_destination .fi .ad -.ft R .in -4 .PP This feature is available in Postfix 2.5 and later. @@ -13608,7 +13184,6 @@ Hexadecimal example (Postfix >= 3.6): .in +4 .nf .na -.ft C # Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported # in some future version of OpenSSL (presently a warning is logged). smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305 @@ -13616,7 +13191,6 @@ smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305 smtpd_tls_mandatory_protocols = >=0x0303 .fi .ad -.ft R .in -4 .PP With Postfix < 3.6 there is no support for a minimum or maximum @@ -13634,14 +13208,12 @@ Example: .PP .nf .na -.ft C # Preferred syntax with Postfix >= 3.6: smtpd_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3 # Legacy syntax: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 .fi .ad -.ft R .PP This feature is available in Postfix 2.3 and later. .SH smtpd_tls_protocols (default: see 'postconf \-d' output) @@ -13682,7 +13254,6 @@ Hexadecimal example (Postfix >= 3.6): .in +4 .nf .na -.ft C # Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported # in some future version of OpenSSL (presently a warning is logged). smtpd_tls_protocols = >=TLSv1, <=0305 @@ -13690,7 +13261,6 @@ smtpd_tls_protocols = >=TLSv1, <=0305 smtpd_tls_protocols = >=0x0301 .fi .ad -.ft R .in -4 .PP With Postfix < 3.6 there is no support for a minimum or maximum @@ -13707,14 +13277,12 @@ releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2). Example: .nf .na -.ft C # Preferred syntax with Postfix >= 3.6: smtpd_tls_protocols = >=TLSv1, <=TLSv1.3 # Legacy syntax: smtpd_tls_protocols = !SSLv2, !SSLv3 .fi .ad -.ft R .PP This feature is available in Postfix 2.6 and later. .SH smtpd_tls_received_header (default: no) @@ -13808,11 +13376,9 @@ Example: .PP .nf .na -.ft C smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache .fi .ad -.ft R .PP This feature is available in Postfix 2.2 and later. .SH smtpd_tls_session_cache_timeout (default: 3600s) @@ -13967,11 +13533,9 @@ Example: .PP .nf .na -.ft C soft_bounce = yes .fi .ad -.ft R .SH stale_lock_time (default: 500s) The time after which a stale exclusive mailbox lockfile is removed. This is used for delivery to file or mailbox. @@ -14067,11 +13631,9 @@ Example: .PP .nf .na -.ft C swap_bangpath = no .fi .ad -.ft R .SH syslog_facility (default: mail) The syslog facility of Postfix logging. Specify a facility as defined in syslog.\fBconf\fR(5). The default facility is "mail". @@ -14102,12 +13664,10 @@ first terminate all Postfix TCP servers: .in +4 .nf .na -.ft C # postconf \-e master_service_disable=inet # postfix reload .fi .ad -.ft R .in -4 .PP This immediately terminates all processes that accept network @@ -14117,12 +13677,10 @@ tcp_windowsize setting: .in +4 .nf .na -.ft C # postconf \-e tcp_windowsize=65535 master_service_disable= # postfix reload .fi .ad -.ft R .in -4 .PP If you skip these steps with a running Postfix system, then the @@ -14181,7 +13739,6 @@ Example: Default settings for all applications. .in +4 .nf .na -.ft C # The name 'openssl_conf' is the default application name # The section name to the right of the '=' sign is arbitrary, # any name will do, so long as it refers to the desired section. @@ -14201,7 +13758,6 @@ system_default = initial_ssl_settings MinProtocol = TLSv1.2 .fi .ad -.ft R .in -4 .PP Example: Custom settings for an application named "postfix". @@ -14209,7 +13765,6 @@ Example: Custom settings for an application named "postfix". .in +4 .nf .na -.ft C # The mapping from an application name to the corresponding configuration # section must appear near the top of the file, (in what is sometimes called # the "default section") prior to the start of any explicitly named @@ -14224,7 +13779,6 @@ system_default = baseline_postfix_settings MinProtocol = TLSv1 .fi .ad -.ft R .in -4 .PP This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, @@ -14683,7 +14237,6 @@ Example: .in +4 .nf .na -.ft C /etc/postfix/main.cf: # # The indexed SNI table must be created with "postmap \-F" @@ -14692,13 +14245,11 @@ Example: tls_server_sni_maps = ${indexed}sni .fi .ad -.ft R .in -4 .sp .in +4 .nf .na -.ft C /etc/postfix/sni: # # The example.com domain has both an RSA and ECDSA certificate @@ -14719,7 +14270,6 @@ Example: example.org /etc/postfix/sni\-chains/example.net.pem .fi .ad -.ft R .in -4 .PP Note that the SNI lookup tables should also have entries for @@ -14866,12 +14416,10 @@ may be: .in +4 .nf .na -.ft C example.com. IN MX 0 example.com.mx1.example.net. example.com. IN MX 0 example.com.mx2.example.net. .fi .ad -.ft R .in -4 .PP and the TLS certificate may be for "*.example.net". The "*" @@ -15416,12 +14964,10 @@ Examples: .PP .nf .na -.ft C transport_maps = dbm:/etc/postfix/transport transport_maps = hash:/etc/postfix/transport .fi .ad -.ft R .SH transport_minimum_delivery_slots (default: $default_minimum_delivery_slots) A transport\-specific override for the default_minimum_delivery_slots parameter value, where \fItransport\fR is the master.cf name of @@ -15524,13 +15070,11 @@ Example: .PP .nf .na -.ft C # Default value before Postfix 2.8. # Note: the ":" and ";" are both required. undisclosed_recipients_header = To: undisclosed\-recipients:; .fi .ad -.ft R .SH unknown_address_reject_code (default: 450) The numerical response code when the Postfix SMTP server rejects a sender or recipient address because its domain is unknown. This @@ -15584,11 +15128,9 @@ Example: .PP .nf .na -.ft C unknown_local_recipient_reject_code = 450 .fi .ad -.ft R .PP This feature is available in Postfix 2.0 and later. .SH unknown_relay_recipient_reject_code (default: 550) @@ -15639,11 +15181,9 @@ Example: .PP .nf .na -.ft C unverified_recipient_reject_reason = Recipient address lookup failed .fi .ad -.ft R .PP This feature is available in Postfix 2.6 and later. .SH unverified_recipient_tempfail_action (default: $reject_tempfail_action) @@ -15685,11 +15225,9 @@ Example: .PP .nf .na -.ft C unverified_sender_reject_reason = Sender address lookup failed .fi .ad -.ft R .PP This feature is available in Postfix 2.6 and later. .SH unverified_sender_tempfail_action (default: $reject_tempfail_action) @@ -15726,7 +15264,6 @@ for "_submission._tcp.example.com". .PP .nf .na -.ft C /etc/postfix/main.cf: use_srv_lookup = submission relayhost = example.com:submission @@ -15734,7 +15271,6 @@ for "_submission._tcp.example.com". ...see SASL_README for sasl configuration... .fi .ad -.ft R .PP Example 2: MUA\-to\-MTA submission using SRV record lookup for the "submissions" service for domain "example.org". This uses a @@ -15747,25 +15283,21 @@ instead of "_submissions._tcp.example.org". .PP .nf .na -.ft C /etc/postfix/main.cf: use_srv_lookup = submissions default_transport = smtp\-wraptls:example.org:submissions ...see SASL_README for sasl configuration... .fi .ad -.ft R .PP .nf .na -.ft C /etc/postfix/master.cf: smtp\-wraptls unix ... ... ... ... ... smtp \-o { smtp_tls_wrappermode = yes } \-o { smtp_tls_security_level = encrypt } .fi .ad -.ft R .PP Example 3: Sender\-dependent selection for a combination of MUA\-to\-MTA submission services. This combines examples 1 and 2 with @@ -15777,7 +15309,6 @@ of "_submissions._tcp.example.org". .PP .nf .na -.ft C /etc/postfix/main.cf: use_srv_lookup = submission, submissions sender_dependent_default_transport_maps = inline:{ @@ -15791,7 +15322,6 @@ of "_submissions._tcp.example.org". ...see SASL_README for sasl configuration... .fi .ad -.ft R .PP Example 4: MTA\-to\-MTA traffic, using SRV record lookup for the SMTP service. This is useful for Postfix tests, and may be useful @@ -15799,7 +15329,6 @@ in environments where ports are dynamically assigned to servers. .PP .nf .na -.ft C /etc/postfix/main.cf: use_srv_lookup = smtp # Fall back to MX record lookup when SRV records are unavailable. @@ -15807,7 +15336,6 @@ in environments where ports are dynamically assigned to servers. #ignore_srv_lookup_error = yes .fi .ad -.ft R .PP This feature is available in Postfix 3.8 and later. .SH verp_delimiter_filter (default: \-=+) @@ -15855,11 +15383,9 @@ Example: .PP .nf .na -.ft C virtual_alias_domains = virtual1.tld virtual2.tld .fi .ad -.ft R .SH virtual_alias_expansion_limit (default: 1000) The maximal number of addresses that virtual alias expansion produces from each original recipient. @@ -15890,12 +15416,10 @@ Examples: .PP .nf .na -.ft C virtual_alias_maps = dbm:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual .fi .ad -.ft R .SH virtual_alias_recursion_limit (default: 1000) The maximal nesting depth of virtual alias expansion. Currently the recursion limit is applied only to the left branch of the @@ -15968,11 +15492,9 @@ Example: .PP .nf .na -.ft C virtual_mailbox_base = /var/mail .fi .ad -.ft R .SH virtual_mailbox_domains (default: $virtual_mailbox_maps) Postfix is the final destination for the specified list of domains; mail is delivered via the $virtual_transport mail delivery transport. diff --git a/postfix/mantools/postconf2man b/postfix/mantools/postconf2man index cf5e16128..c3e7f8113 100755 --- a/postfix/mantools/postconf2man +++ b/postfix/mantools/postconf2man @@ -58,8 +58,8 @@ while(<>) { $block =~ s/^()/.PP\n\1/ if ($wantpp); $block =~ s/

*/\n/g; $block =~ s/ *<\/p>/\n/g; - $block =~ s/

/\n.nf\n.na\n.ft C\n/g;
-    $block =~ s/<\/pre>/\n.fi\n.ad\n.ft R\n/g;
+    $block =~ s/
/\n.nf\n.na\n/g;
+    $block =~ s/<\/pre>/\n.fi\n.ad\n/g;
     $block =~ s/]*>/\n/g;
     $block =~ s/
    /\n/g;
     #$block =~ s/<\/dl>/\n.PP\n/g;
diff --git a/postfix/proto/mysql_table b/postfix/proto/mysql_table
index e68e0aea8..4274ed4ea 100644
--- a/postfix/proto/mysql_table
+++ b/postfix/proto/mysql_table
@@ -267,6 +267,12 @@
 #	"not found".
 # .sp
 #	This parameter is available with Postfix 3.2 and later.
+# TLS-RELATED SETTINGS
+# .ad
+# .fi
+#	See https://dev.mysql.com/doc/c-api/en/mysql-options.html
+#	or https://mariadb.com/kb/en/mysql_optionsv/ for details of
+#	the underlying MYSQL_OPT_SSL_* features.
 # .IP "\fBtls_cert_file\fR"
 #	File containing client's X509 certificate.
 # .sp
@@ -276,7 +282,7 @@
 # .sp
 #	This parameter is available with Postfix 2.11 and later.
 # .IP "\fBtls_CAfile\fR"
-#	File containing certificates for all of the X509 Certification
+#	File containing X509 certificates for all of the Certification
 #	Authorities the client will recognize.  Takes precedence over
 #	\fBtls_CApath\fR.
 # .sp
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 36aab443e..34ea749d7 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -1194,7 +1194,8 @@ by an RFC 3463 enhanced status code. 
 
 
    $rbl_domain
    
 
-
    The RBL domain where $rbl_what is denylisted. 
    
+
    The RBL domain (without any =address-filter) where
+$rbl_what is denylisted. 
    
 
 
    $rbl_reason
    
 
@@ -3588,7 +3589,10 @@ The default time unit is s (seconds).  
    
 
    
 Optional lookup tables with RBL or RHSBL response templates. The
 table search key is the reject_rbl_* or reject_rhsbl_* argument,
-including any optional "=address-pattern" filter. 
    
+including any optional "=address-filter".  With Postfix 3.10
+and later, if the result is "not found" and the search key has the
+form domain=address-filter, then rbl_reply_maps will also
+search with the domain. 
    
 
 
     By default, Postfix uses the
 template as specified with the default_rbl_reply configuration
@@ -3612,20 +3616,26 @@ syntax.
     # variables.
     secret.zen.dq.spamhaus.net=127.0.0.[2..11]
         554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
+

+
+
+    # Postfix ≥ 3.10: if a search key domain=address-filter
+    # is not found, then rbl_reply_maps will also search with the
+    # domain.
     secret.zen.dq.spamhaus.net
         554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details 
 

 
 

 NOTE: This feature differs from postscreen_dnsbl_reply_map where
-the table search key is a domain name (no "=address" filter,
-no "*weight" factor) and where the lookup result should be
-a domain name (no free text, no $name variables).
+the table search key is only a domain name (no "=address-filter",
+no "*weight" factor) and where the lookup result
+should be only a domain name (no free text, no $name variables).
 

 
 

 This feature is available in Postfix 2.0 and later.
-The "=address-pattern" filter is available in Postfix 2.8 and later.
+The "=address-filter" feature is available in Postfix 2.8 and later.
 

 
 %PARAM receive_override_options 
@@ -15451,7 +15461,7 @@ the file is read). 

 
 
 NOTE: This feature differs from the Postfix SMTP server's
 rbl_reply_maps feature, where 1) the table search key includes the
-optional "=address" filter, and where 2) the lookup result
+optional "=address-filter", and where 2) the lookup result
 contains free text with $name variables. 

 
 
 This feature is available in Postfix 2.8.  

diff --git a/postfix/proto/stop b/postfix/proto/stop
index fb1da4859..88bf64609 100644
--- a/postfix/proto/stop
+++ b/postfix/proto/stop
@@ -1606,3 +1606,7 @@ GTEST
 javascript
 SMFI
 RHSBL
+Ajamian
+groff
+MariaDB
+Fuhrer
diff --git a/postfix/proto/stop.spell-cc b/postfix/proto/stop.spell-cc
index a554e48b3..1314e0c0e 100644
--- a/postfix/proto/stop.spell-cc
+++ b/postfix/proto/stop.spell-cc
@@ -1840,3 +1840,4 @@ fhHoqvx
 foqvx
 ILP
 xxfi
+optionsv
diff --git a/postfix/src/global/dict_mysql.c b/postfix/src/global/dict_mysql.c
index 133cc0d44..7d113d299 100644
--- a/postfix/src/global/dict_mysql.c
+++ b/postfix/src/global/dict_mysql.c
@@ -119,6 +119,15 @@
 #define DICT_MYSQL_SSL_VERIFY_SERVER_CERT MYSQL_OPT_SSL_VERIFY_SERVER_CERT
 #elif MYSQL_VERSION_ID >= 80000
 #define DICT_MYSQL_SSL_VERIFY_SERVER_CERT MYSQL_OPT_SSL_MODE
+#endif
+
+ /*
+  * MariaDB Connector/C 3.0.0 lists mysql_options() as deprecated and
+  * recommends using mysql_optionsv() instead. Option names and semantics
+  * have not changed.
+  */
+#if defined(MARIADB_PACKAGE_VERSION_ID) && MARIADB_PACKAGE_VERSION_ID >= 30000
+#define mysql_options	mysql_optionsv
 #endif
 
 /* need some structs to help organize things */
@@ -598,12 +607,27 @@ static void plmysql_connect_single(DICT_MYSQL *dict_mysql, HOST *host)
 	mysql_options(host->db, MYSQL_READ_DEFAULT_FILE, dict_mysql->option_file);
     if (dict_mysql->option_group && dict_mysql->option_group[0])
 	mysql_options(host->db, MYSQL_READ_DEFAULT_GROUP, dict_mysql->option_group);
+#if MYSQL_VERSION_ID >= 80035
+    /* Preferred API. */
+    if (dict_mysql->tls_key_file)
+	mysql_options(host->db, MYSQL_OPT_SSL_KEY, dict_mysql->tls_key_file);
+    if (dict_mysql->tls_cert_file)
+	mysql_options(host->db, MYSQL_OPT_SSL_CERT, dict_mysql->tls_cert_file);
+    if (dict_mysql->tls_CAfile)
+	mysql_options(host->db, MYSQL_OPT_SSL_CA, dict_mysql->tls_CAfile);
+    if (dict_mysql->tls_CApath)
+	mysql_options(host->db, MYSQL_OPT_SSL_CAPATH, dict_mysql->tls_CApath);
+    if (dict_mysql->tls_ciphers)
+	mysql_options(host->db, MYSQL_OPT_SSL_CIPHER, dict_mysql->tls_ciphers);
+#else
+    /* Deprecated API. */
     if (dict_mysql->tls_key_file || dict_mysql->tls_cert_file ||
 	dict_mysql->tls_CAfile || dict_mysql->tls_CApath || dict_mysql->tls_ciphers)
 	mysql_ssl_set(host->db,
 		      dict_mysql->tls_key_file, dict_mysql->tls_cert_file,
 		      dict_mysql->tls_CAfile, dict_mysql->tls_CApath,
 		      dict_mysql->tls_ciphers);
+#endif
 #if defined(DICT_MYSQL_SSL_VERIFY_SERVER_CERT)
     if (dict_mysql->tls_verify_cert != -1)
 	mysql_options(host->db, DICT_MYSQL_SSL_VERIFY_SERVER_CERT,
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index d23ed6640..69627fd39 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20240622"
+#define MAIL_RELEASE_DATE	"20240722"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 6aeda7475..607c6be7c 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3570,15 +3570,21 @@ static int rbl_reject_reply(SMTPD_STATE *state, const SMTPD_RBL_STATE *rbl,
     /*
      * Use the server-specific reply template or use the default one.
      */
+    rbl_exp.domain = mystrdup(rbl_domain);
+    (void) split_at(rbl_exp.domain, '=');
     if (*var_rbl_reply_maps) {
 	template = maps_find(rbl_reply_maps, rbl_domain, DICT_FLAG_NONE);
-	if (rbl_reply_maps->error)
+	if (template == 0 && rbl_reply_maps->error == 0
+	    && strcmp(rbl_domain, rbl_exp.domain) != 0)
+	    template = maps_find(rbl_reply_maps, rbl_exp.domain,
+				 DICT_FLAG_NONE);
+	if (template == 0 && rbl_reply_maps->error != 0) {
+	    myfree(rbl_exp.domain);
 	    reject_server_error(state);
+	}
     }
     why = vstring_alloc(100);
     rbl_exp.state = state;
-    rbl_exp.domain = mystrdup(rbl_domain);
-    (void) split_at(rbl_exp.domain, '=');
     rbl_exp.what = what;
     rbl_exp.class = reply_class;
     rbl_exp.txt = (rbl->txt == 0 ? "" : rbl->txt);
diff --git a/postfix/src/smtpd/smtpd_check_access b/postfix/src/smtpd/smtpd_check_access
index 788276adf..232e67d79 100644
--- a/postfix/src/smtpd/smtpd_check_access
+++ b/postfix/src/smtpd/smtpd_check_access
@@ -41,6 +41,10 @@ blackholes.mail-abuse.org	$rbl_code client=$client
  rbl_code=$rbl_code rbl_domain=$rbl_domain rbl_txt=$rbl_txt rbl_what=$rbl_what
  rbl_class=$rbl_class
 
+dnsbltest.porcupine.org=127.0.0.3	 $rbl_code service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain=127.0.0.3 ${rbl_reason?; $rbl_reason}
+
+dnsbltest.porcupine.org	 $rbl_code SERVICE UNAVAILABLE; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
+
 rhsbl.porcupine.org	$rbl_code client=$client
  client_address=$client_address
  client_name=$client_name helo_name=$helo_name 
diff --git a/postfix/src/smtpd/smtpd_check_backup.ref b/postfix/src/smtpd/smtpd_check_backup.ref
index c15be35f3..4beafd3e2 100644
--- a/postfix/src/smtpd/smtpd_check_backup.ref
+++ b/postfix/src/smtpd/smtpd_check_backup.ref
@@ -17,7 +17,7 @@ OK
 >>> recipient_restrictions permit_mx_backup,reject
 OK
 >>> rcpt wietse@wzv.porcupine.org
-./smtpd_check: warning: support for restriction "permit_mx_backup" will be removed from Postfix; instead, use "relay_domains"
+./smtpd_check: warning: support for restriction "permit_mx_backup" will be removed from Postfix; instead, specify "relay_domains"
 OK
 >>> rcpt wietse@backup.porcupine.org
 OK
diff --git a/postfix/src/smtpd/smtpd_deprecated.ref b/postfix/src/smtpd/smtpd_deprecated.ref
index d64f1b3d5..2832460f7 100644
--- a/postfix/src/smtpd/smtpd_deprecated.ref
+++ b/postfix/src/smtpd/smtpd_deprecated.ref
@@ -10,7 +10,7 @@ OK
 >>> mail sname@sdomain.example
 OK
 >>> rcpt rname@rdomain.example
-./smtpd_check: warning: restriction permit_naked_ip_address has been removed in Postfix 3.9; use permit_mynetworks or permit_sasl_authenticated instead
+./smtpd_check: warning: support for restriction "permit_naked_ip_address" has been removed in Postfix 3.9; instead, specify "permit_mynetworks" or "permit_sasl_authenticated"
 ./smtpd_check: : reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from= to= proto=SMTP helo=<127.0.0.2>
 451 4.3.5 Server configuration error
 >>> #
@@ -27,7 +27,7 @@ OK
 >>> mail sname@sdomain.example
 OK
 >>> rcpt rname@rdomain.example
-./smtpd_check: warning: support for restriction "check_relay_domains" has been removed in Postfix 3.9; use "reject_unauth_destination" instead
+./smtpd_check: warning: support for restriction "check_relay_domains" has been removed in Postfix 3.9; instead, specify "reject_unauth_destination"
 ./smtpd_check: : reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from= to= proto=SMTP helo=<127.0.0.2>
 451 4.3.5 Server configuration error
 >>> #
diff --git a/postfix/src/smtpd/smtpd_exp.in b/postfix/src/smtpd/smtpd_exp.in
index 8370404b4..4ddf45b87 100644
--- a/postfix/src/smtpd/smtpd_exp.in
+++ b/postfix/src/smtpd/smtpd_exp.in
@@ -29,6 +29,9 @@ client foo 127.0.0.2
 rcpt rname@rdomain
 client foo 127.0.0.1
 rcpt rname@rdomain
+recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org=127.0.0.3
+client foo 127.0.0.3
+rcpt rname@rdomain
 #
 # RHSBL sender domain name
 #
@@ -60,3 +63,15 @@ recipient_restrictions reject_rhsbl_helo,rhsbl.porcupine.org
 helo example.tld
 mail sname@sdomain
 rcpt rname@rdomain
+#
+# rbl_reply_maps lookup error
+#
+smtpd_delay_reject 0
+mynetworks 127.0.0.0/8,168.100.3.0/28
+relay_domains porcupine.org
+rbl_reply_maps fail:1_rbl_reply_maps
+helo foobar
+mail sname@sdomain
+recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org
+client foo 127.0.0.2
+rcpt rname@rdomain
diff --git a/postfix/src/smtpd/smtpd_exp.ref b/postfix/src/smtpd/smtpd_exp.ref
index 00848a538..38d9daf9a 100644
--- a/postfix/src/smtpd/smtpd_exp.ref
+++ b/postfix/src/smtpd/smtpd_exp.ref
@@ -25,13 +25,13 @@ OK
 >>> client spike.porcupine.org 168.100.3.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: warning: support for restriction "reject_maps_rbl" has been removed in Postfix 3.9; use "reject_rbl_client domain-name" instead
+./smtpd_check: warning: support for restriction "reject_maps_rbl" has been removed in Postfix 3.9; instead, specify "reject_rbl_client domain-name"
 ./smtpd_check: : reject: RCPT from spike.porcupine.org[168.100.3.2]: 451 4.3.5 Server configuration error; from= to= proto=SMTP helo=
 451 4.3.5 Server configuration error
 >>> client foo 127.0.0.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: warning: support for restriction "reject_maps_rbl" has been removed in Postfix 3.9; use "reject_rbl_client domain-name" instead
+./smtpd_check: warning: support for restriction "reject_maps_rbl" has been removed in Postfix 3.9; instead, specify "reject_rbl_client domain-name"
 ./smtpd_check: : reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from= to= proto=SMTP helo=
 451 4.3.5 Server configuration error
 >>> #
@@ -44,19 +44,26 @@ OK
 >>> client foo 127.0.0.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: : reject: RCPT from foo[127.0.0.2]: 554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test; from= to= proto=SMTP helo=
-554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test
+./smtpd_check: : reject: RCPT from foo[127.0.0.2]: 554 5.7.1 SERVICE UNAVAILABLE; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test; from= to= proto=SMTP helo=
+554 5.7.1 SERVICE UNAVAILABLE; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test
 >>> recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org=127.0.0.2
 OK
 >>> client foo 127.0.0.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: : reject: RCPT from foo[127.0.0.2]: 554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test; from= to= proto=SMTP helo=
-554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test
+./smtpd_check: : reject: RCPT from foo[127.0.0.2]: 554 5.7.1 SERVICE UNAVAILABLE; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test; from= to= proto=SMTP helo=
+554 5.7.1 SERVICE UNAVAILABLE; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test
 >>> client foo 127.0.0.1
 OK
 >>> rcpt rname@rdomain
 OK
+>>> recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org=127.0.0.3
+OK
+>>> client foo 127.0.0.3
+OK
+>>> rcpt rname@rdomain
+./smtpd_check: : reject: RCPT from foo[127.0.0.3]: 554 5.7.1 service unavailable; Client host [127.0.0.3] blocked using dnsbltest.porcupine.org=127.0.0.3 ; DNS blocklist test; from= to= proto=SMTP helo=
+554 5.7.1 service unavailable; Client host [127.0.0.3] blocked using dnsbltest.porcupine.org=127.0.0.3 ; DNS blocklist test
 >>> #
 >>> # RHSBL sender domain name
 >>> #
@@ -111,3 +118,26 @@ OK
 >>> rcpt rname@rdomain
 ./smtpd_check: : reject: RCPT from spike.porcupine.org[168.100.3.2]: 554 5.7.1 client=spike.porcupine.org[168.100.3.2] client_address=168.100.3.2 client_name=spike.porcupine.org helo_name=example.tld  sender=sname@sdomain sender_name=sname  sender_domain=sdomain recipient=rname@rdomain recipient_name=rname recipient_domain=rdomain rbl_code=554 rbl_domain=rhsbl.porcupine.org rbl_txt=RHSBL test rbl_what=example.tld rbl_class=Helo command; from= to= proto=SMTP helo=
 554 5.7.1 client=spike.porcupine.org[168.100.3.2] client_address=168.100.3.2 client_name=spike.porcupine.org helo_name=example.tld  sender=sname@sdomain sender_name=sname  sender_domain=sdomain recipient=rname@rdomain recipient_name=rname recipient_domain=rdomain rbl_code=554 rbl_domain=rhsbl.porcupine.org rbl_txt=RHSBL test rbl_what=example.tld rbl_class=Helo command
+>>> #
+>>> # rbl_reply_maps lookup error
+>>> #
+>>> smtpd_delay_reject 0
+OK
+>>> mynetworks 127.0.0.0/8,168.100.3.0/28
+OK
+>>> relay_domains porcupine.org
+OK
+>>> rbl_reply_maps fail:1_rbl_reply_maps
+OK
+>>> helo foobar
+OK
+>>> mail sname@sdomain
+OK
+>>> recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org
+OK
+>>> client foo 127.0.0.2
+OK
+>>> rcpt rname@rdomain
+./smtpd_check: warning: fail:1_rbl_reply_maps lookup error for "dnsbltest.porcupine.org"
+./smtpd_check: : reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from= to= proto=SMTP helo=
+451 4.3.5 Server configuration error