Postfix supports it own logging system as an alternative to +
Postfix supports its own logging system as an alternative to syslog (which remains the default). This is available with Postfix version 3.4 or later.
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 3e47a0eaf..ea5209164 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -194,37 +194,34 @@ SMTPD(8) SMTPD(8) Available in Postfix version 2.2 and later: local_header_rewrite_clients (permit_inet_interfaces) - Rewrite message header addresses in mail from these clients and - update incomplete addresses with the domain name in $myorigin or - $mydomain; either don't rewrite message headers from other - clients at all, or rewrite message headers and update incomplete - addresses with the domain specified in the remote_header_re- - write_domain parameter. + Rewrite or add message headers in mail from these clients, + updating incomplete addresses with the domain name in $myorigin + or $mydomain, and adding missing headers. BEFORE-SMTPD PROXY AGENT Available in Postfix version 2.10 and later: smtpd_upstream_proxy_protocol (empty) - The name of the proxy protocol used by an optional before-smtpd + The name of the proxy protocol used by an optional before-smtpd proxy agent. smtpd_upstream_proxy_timeout (5s) - The time limit for the proxy protocol specified with the + The time limit for the proxy protocol specified with the smtpd_upstream_proxy_protocol parameter. AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS - As of version 1.0, Postfix can be configured to send new mail to an - external content filter AFTER the mail is queued. This content filter - is expected to inject mail back into a (Postfix or other) MTA for fur- + As of version 1.0, Postfix can be configured to send new mail to an + external content filter AFTER the mail is queued. This content filter + is expected to inject mail back into a (Postfix or other) MTA for fur- ther delivery. See the FILTER_README document for details. content_filter (empty) - After the message is queued, send the entire message to the + After the message is queued, send the entire message to the specified transport:destination. BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS - As of version 2.1, the Postfix SMTP server can be configured to send - incoming mail to a real-time SMTP-based content filter BEFORE mail is + As of version 2.1, the Postfix SMTP server can be configured to send + incoming mail to a real-time SMTP-based content filter BEFORE mail is queued. This content filter is expected to inject mail back into Post- fix. See the SMTPD_PROXY_README document for details on how to config- ure and operate this feature. @@ -233,40 +230,40 @@ SMTPD(8) SMTPD(8) The hostname and TCP port of the mail filtering proxy server. smtpd_proxy_ehlo ($myhostname) - How the Postfix SMTP server announces itself to the proxy fil- + How the Postfix SMTP server announces itself to the proxy fil- ter. smtpd_proxy_options (empty) - List of options that control how the Postfix SMTP server commu- + List of options that control how the Postfix SMTP server commu- nicates with a before-queue content filter. smtpd_proxy_timeout (100s) - The time limit for connecting to a proxy filter and for sending + The time limit for connecting to a proxy filter and for sending or receiving information. BEFORE QUEUE MILTER CONTROLS As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail - filter) protocol. These content filters run outside Postfix. They can - inspect the SMTP command stream and the message content, and can - request modifications before mail is queued. For details see the MIL- + filter) protocol. These content filters run outside Postfix. They can + inspect the SMTP command stream and the message content, and can + request modifications before mail is queued. For details see the MIL- TER_README document. smtpd_milters (empty) - A list of Milter (mail filter) applications for new mail that + A list of Milter (mail filter) applications for new mail that arrives via the Postfix smtpd(8) server. milter_protocol (6) - The mail filter protocol version and optional protocol exten- - sions for communication with a Milter application; prior to + The mail filter protocol version and optional protocol exten- + sions for communication with a Milter application; prior to Postfix 2.6 the default protocol is 2. milter_default_action (tempfail) - The default action when a Milter (mail filter) response is - unavailable (for example, bad Postfix configuration or Milter + The default action when a Milter (mail filter) response is + unavailable (for example, bad Postfix configuration or Milter failure). milter_macro_daemon_name ($myhostname) - The {daemon_name} macro value for Milter (mail filter) applica- + The {daemon_name} macro value for Milter (mail filter) applica- tions. milter_macro_v ($mail_name $mail_version) @@ -277,60 +274,60 @@ SMTPD(8) SMTPD(8) tion, and for negotiating protocol options. milter_command_timeout (30s) - The time limit for sending an SMTP command to a Milter (mail + The time limit for sending an SMTP command to a Milter (mail filter) application, and for receiving the response. milter_content_timeout (300s) - The time limit for sending message content to a Milter (mail + The time limit for sending message content to a Milter (mail filter) application, and for receiving the response. milter_connect_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after completion of an SMTP connection. milter_helo_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP HELO or EHLO command. milter_mail_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP MAIL FROM command. milter_rcpt_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP RCPT TO command. milter_data_macros (see 'postconf -d' output) - The macros that are sent to version 4 or higher Milter (mail + The macros that are sent to version 4 or higher Milter (mail filter) applications after the SMTP DATA command. milter_unknown_command_macros (see 'postconf -d' output) - The macros that are sent to version 3 or higher Milter (mail + The macros that are sent to version 3 or higher Milter (mail filter) applications after an unknown SMTP command. milter_end_of_header_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the end of the message header. milter_end_of_data_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the message end-of-data. Available in Postfix version 3.1 and later: milter_macro_defaults (empty) - Optional list of name=value pairs that specify default values - for arbitrary macros that Postfix may send to Milter applica- + Optional list of name=value pairs that specify default values + for arbitrary macros that Postfix may send to Milter applica- tions. Available in Postfix version 3.2 and later: smtpd_milter_maps (empty) - Lookup tables with Milter settings per remote SMTP client IP + Lookup tables with Milter settings per remote SMTP client IP address. GENERAL CONTENT INSPECTION CONTROLS - The following parameters are applicable for both built-in and external + The following parameters are applicable for both built-in and external content filters. Available in Postfix version 2.1 and later: @@ -340,51 +337,51 @@ SMTPD(8) SMTPD(8) ing, or address mapping. EXTERNAL CONTENT INSPECTION CONTROLS - The following parameters are applicable for both before-queue and + The following parameters are applicable for both before-queue and after-queue content filtering. Available in Postfix version 2.1 and later: smtpd_authorized_xforward_hosts (empty) - What remote SMTP clients are allowed to use the XFORWARD fea- + What remote SMTP clients are allowed to use the XFORWARD fea- ture. SASL AUTHENTICATION CONTROLS Postfix SASL support (RFC 4954) can be used to authenticate remote SMTP - clients to the Postfix SMTP server, and to authenticate the Postfix - SMTP client to a remote SMTP server. See the SASL_README document for + clients to the Postfix SMTP server, and to authenticate the Postfix + SMTP client to a remote SMTP server. See the SASL_README document for details. broken_sasl_auth_clients (no) - Enable interoperability with remote SMTP clients that implement + Enable interoperability with remote SMTP clients that implement an obsolete version of the AUTH command (RFC 4954). smtpd_sasl_auth_enable (no) Enable SASL authentication in the Postfix SMTP server. smtpd_sasl_local_domain (empty) - The name of the Postfix SMTP server's local SASL authentication + The name of the Postfix SMTP server's local SASL authentication realm. smtpd_sasl_security_options (noanonymous) Postfix SMTP server SASL security options; as of Postfix 2.3 the - list of available features depends on the SASL server implemen- + list of available features depends on the SASL server implemen- tation that is selected with smtpd_sasl_type. smtpd_sender_login_maps (empty) - Optional lookup table with the SASL login names that own the + Optional lookup table with the SASL login names that own the sender (MAIL FROM) addresses. Available in Postfix version 2.1 and later: smtpd_sasl_exceptions_networks (empty) - What remote SMTP clients the Postfix SMTP server will not offer + What remote SMTP clients the Postfix SMTP server will not offer AUTH support to. Available in Postfix version 2.1 and 2.2: smtpd_sasl_application_name (smtpd) - The application name that the Postfix SMTP server uses for SASL + The application name that the Postfix SMTP server uses for SASL server initialization. Available in Postfix version 2.3 and later: @@ -395,11 +392,11 @@ SMTPD(8) SMTPD(8) smtpd_sasl_path (smtpd) Implementation-specific information that the Postfix SMTP server - passes through to the SASL plug-in implementation that is + passes through to the SASL plug-in implementation that is selected with smtpd_sasl_type. smtpd_sasl_type (cyrus) - The SASL plug-in type that the Postfix SMTP server should use + The SASL plug-in type that the Postfix SMTP server should use for authentication. Available in Postfix version 2.5 and later: @@ -411,7 +408,7 @@ SMTPD(8) SMTPD(8) Available in Postfix version 2.11 and later: smtpd_sasl_service (smtp) - The service name that is passed to the SASL plug-in that is + The service name that is passed to the SASL plug-in that is selected with smtpd_sasl_type and smtpd_sasl_path. Available in Postfix version 3.4 and later: @@ -423,20 +420,20 @@ SMTPD(8) SMTPD(8) Available in Postfix 3.6 and later: smtpd_sasl_mechanism_filter (!external, static:rest) - If non-empty, a filter for the SASL mechanism names that the + If non-empty, a filter for the SASL mechanism names that the Postfix SMTP server will announce in the EHLO response. STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be found in the + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtpd_tls_security_level (empty) - The SMTP TLS security level for the Postfix SMTP server; when a + The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is specified, this overrides the obsolete param- eters smtpd_use_tls and smtpd_enforce_tls. smtpd_sasl_tls_security_options ($smtpd_sasl_security_options) - The SASL authentication security options that the Postfix SMTP + The SASL authentication security options that the Postfix SMTP server uses for TLS encrypted SMTP sessions. smtpd_starttls_timeout (see 'postconf -d' output) @@ -444,25 +441,25 @@ SMTPD(8) SMTPD(8) during TLS startup and shutdown handshake procedures. smtpd_tls_CAfile (empty) - A file containing (PEM format) CA certificates of root CAs + A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or inter- mediate CA certificates. smtpd_tls_CApath (empty) - A directory containing (PEM format) CA certificates of root CAs + A directory containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or inter- mediate CA certificates. smtpd_tls_always_issue_session_ids (yes) - Force the Postfix SMTP server to issue a TLS session id, even - when TLS session caching is turned off (smtpd_tls_ses- + Force the Postfix SMTP server to issue a TLS session id, even + when TLS session caching is turned off (smtpd_tls_ses- sion_cache_database is empty). smtpd_tls_ask_ccert (no) Ask a remote SMTP client for a client certificate. smtpd_tls_auth_only (no) - When TLS encryption is optional in the Postfix SMTP server, do + When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted con- nections. @@ -473,18 +470,18 @@ SMTPD(8) SMTPD(8) File with the Postfix SMTP server RSA certificate in PEM format. smtpd_tls_exclude_ciphers (empty) - List of ciphers or cipher types to exclude from the SMTP server + List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. smtpd_tls_dcert_file (empty) File with the Postfix SMTP server DSA certificate in PEM format. smtpd_tls_dh1024_param_file (empty) - File with DH parameters that the Postfix SMTP server should use + File with DH parameters that the Postfix SMTP server should use with non-export EDH ciphers. smtpd_tls_dh512_param_file (empty) - File with DH parameters that the Postfix SMTP server should use + File with DH parameters that the Postfix SMTP server should use with export-grade EDH ciphers. smtpd_tls_dkey_file ($smtpd_tls_dcert_file) @@ -497,12 +494,12 @@ SMTPD(8) SMTPD(8) Enable additional Postfix SMTP server logging of TLS activity. smtpd_tls_mandatory_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP server will + The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption. smtpd_tls_mandatory_exclude_ciphers (empty) - Additional list of ciphers or cipher types to exclude from the - Postfix SMTP server cipher list at mandatory TLS security lev- + Additional list of ciphers or cipher types to exclude from the + Postfix SMTP server cipher list at mandatory TLS security lev- els. smtpd_tls_mandatory_protocols (see 'postconf -d' output) @@ -511,21 +508,21 @@ SMTPD(8) SMTPD(8) smtpd_tls_received_header (no) Request that the Postfix SMTP server produces Received: message - headers that include information about the protocol and cipher - used, as well as the remote SMTP client CommonName and client + headers that include information about the protocol and cipher + used, as well as the remote SMTP client CommonName and client certificate issuer CommonName. smtpd_tls_req_ccert (no) - With mandatory TLS encryption, require a trusted remote SMTP + With mandatory TLS encryption, require a trusted remote SMTP client certificate in order to allow TLS connections to proceed. smtpd_tls_wrappermode (no) - Run the Postfix SMTP server in the non-standard "wrapper" mode, - instead of using the STARTTLS command. + Run the Postfix SMTP server in TLS "wrapper" mode, instead of + using the STARTTLS command. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) or smtpd(8) - process requests from the tlsmgr(8) server in order to seed its + The number of pseudo-random bytes that an smtp(8) or smtpd(8) + process requests from the tlsmgr(8) server in order to seed its internal pseudo random number generator (PRNG). tls_high_cipherlist (see 'postconf -d' output) @@ -541,41 +538,41 @@ SMTPD(8) SMTPD(8) The OpenSSL cipherlist for "export" or higher grade ciphers. tls_null_cipherlist (eNULL:!aNULL) - The OpenSSL cipherlist for "NULL" grade ciphers that provide + The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. Available in Postfix version 2.5 and later: smtpd_tls_fingerprint_digest (see 'postconf -d' output) - The message digest algorithm to construct remote SMTP - client-certificate fingerprints or public key fingerprints - (Postfix 2.9 and later) for check_ccert_access and per- + The message digest algorithm to construct remote SMTP + client-certificate fingerprints or public key fingerprints + (Postfix 2.9 and later) for check_ccert_access and per- mit_tls_clientcerts. Available in Postfix version 2.6 and later: smtpd_tls_protocols (see postconf -d output) - TLS protocols accepted by the Postfix SMTP server with oppor- + TLS protocols accepted by the Postfix SMTP server with oppor- tunistic TLS encryption. smtpd_tls_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP server will + The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic TLS encryption. smtpd_tls_eccert_file (empty) - File with the Postfix SMTP server ECDSA certificate in PEM for- + File with the Postfix SMTP server ECDSA certificate in PEM for- mat. smtpd_tls_eckey_file ($smtpd_tls_eccert_file) - File with the Postfix SMTP server ECDSA private key in PEM for- + File with the Postfix SMTP server ECDSA private key in PEM for- mat. smtpd_tls_eecdh_grade (see 'postconf -d' output) - The Postfix SMTP server security grade for ephemeral ellip- + The Postfix SMTP server security grade for ephemeral ellip- tic-curve Diffie-Hellman (EECDH) key exchange. tls_eecdh_strong_curve (prime256v1) - The elliptic curve used by the Postfix SMTP server for sensibly + The elliptic curve used by the Postfix SMTP server for sensibly strong ephemeral ECDH key exchange. tls_eecdh_ultra_curve (secp384r1) @@ -586,7 +583,7 @@ SMTPD(8) SMTPD(8) tls_preempt_cipherlist (no) With SSLv3 and later, use the Postfix SMTP server's cipher pref- - erence order instead of the remote client's cipher preference + erence order instead of the remote client's cipher preference order. tls_disable_workarounds (see 'postconf -d' output) @@ -599,7 +596,7 @@ SMTPD(8) SMTPD(8) Available in Postfix version 3.0 and later: - tls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: + tls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc) Algorithm used to encrypt RFC5077 TLS session tickets. @@ -612,33 +609,33 @@ SMTPD(8) SMTPD(8) Available in Postfix version 3.4 and later: smtpd_tls_chain_files (empty) - List of one or more PEM files, each holding one or more private + List of one or more PEM files, each holding one or more private keys directly followed by a corresponding certificate chain. tls_server_sni_maps (empty) - Optional lookup tables that map names received from remote SMTP - clients via the TLS Server Name Indication (SNI) extension to + Optional lookup tables that map names received from remote SMTP + clients via the TLS Server Name Indication (SNI) extension to the appropriate keys and certificate chains. Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: tls_fast_shutdown_enable (yes) - A workaround for implementations that hang Postfix while shut- + A workaround for implementations that hang Postfix while shut- ting down a TLS session, until Postfix times out. Available in Postfix 3.5 and later: info_log_address_format (external) - The email address form that will be used in non-debug logging + The email address form that will be used in non-debug logging (info, warning, etc.). OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtpd_use_tls (no) - Opportunistic TLS: announce STARTTLS support to remote SMTP + Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. smtpd_enforce_tls (no) @@ -646,94 +643,94 @@ SMTPD(8) SMTPD(8) and require that clients use TLS encryption. smtpd_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher list. SMTPUTF8 CONTROLS Preliminary SMTPUTF8 support is introduced with Postfix 3.0. smtputf8_enable (yes) - Enable preliminary SMTPUTF8 support for the protocols described - in RFC 6531..6533. + Enable preliminary SMTPUTF8 support for the protocols described + in RFC 6531, RFC 6532, and RFC 6533. strict_smtputf8 (no) Enable stricter enforcement of the SMTPUTF8 protocol. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci- + Detect that a message requires SMTPUTF8 support for the speci- fied mail origin classes. Available in Postfix version 3.2 and later: enable_idna2003_compatibility (no) - Enable 'transitional' compatibility between IDNA2003 and - IDNA2008, when converting UTF-8 domain names to/from the ASCII + Enable 'transitional' compatibility between IDNA2003 and + IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. VERP SUPPORT CONTROLS - With VERP style delivery, each recipient of a message receives a cus- - tomized copy of the message with his/her own recipient address encoded + With VERP style delivery, each recipient of a message receives a cus- + tomized copy of the message with his/her own recipient address encoded in the envelope sender address. The VERP_README file describes config- - uration and operation details of Postfix support for variable envelope - return path addresses. VERP style delivery is requested with the SMTP - XVERP command or with the "sendmail -V" command-line option and is + uration and operation details of Postfix support for variable envelope + return path addresses. VERP style delivery is requested with the SMTP + XVERP command or with the "sendmail -V" command-line option and is available in Postfix version 1.1 and later. default_verp_delimiters (+=) The two default VERP delimiter characters. verp_delimiter_filter (-=+) - The characters Postfix accepts as VERP delimiter characters on + The characters Postfix accepts as VERP delimiter characters on the Postfix sendmail(1) command line and in SMTP commands. Available in Postfix version 1.1 and 2.0: authorized_verp_clients ($mynetworks) - What remote SMTP clients are allowed to specify the XVERP com- + What remote SMTP clients are allowed to specify the XVERP com- mand. Available in Postfix version 2.1 and later: smtpd_authorized_verp_clients ($authorized_verp_clients) - What remote SMTP clients are allowed to specify the XVERP com- + What remote SMTP clients are allowed to specify the XVERP com- mand. TROUBLE SHOOTING CONTROLS - The DEBUG_README document describes how to debug parts of the Postfix - mail system. The methods vary from making the software log a lot of + The DEBUG_README document describes how to debug parts of the Postfix + mail system. The methods vary from making the software log a lot of detail, to running some daemon processes under control of a call tracer or debugger. debug_peer_level (2) - The increment in verbose logging level when a nexthop destina- - tion, remote client or server name or network address matches a + The increment in verbose logging level when a nexthop destina- + tion, remote client or server name or network address matches a pattern given with the debug_peer_list parameter. debug_peer_list (empty) - Optional list of nexthop destination, remote client or server - name or network address patterns that, if matched, cause the - verbose logging level to increase by the amount specified in + Optional list of nexthop destination, remote client or server + name or network address patterns that, if matched, cause the + verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto- col errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are subject to - before-queue content inspection by non_smtpd_milters, + What categories of Postfix-generated mail are subject to + before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) The list of error classes that are reported to the postmaster. smtpd_reject_footer (empty) - Optional information that is appended after each Postfix SMTP + Optional information that is appended after each Postfix SMTP server 4XX or 5XX response. soft_bounce (no) - Safety net to keep mail queued that would otherwise be returned + Safety net to keep mail queued that would otherwise be returned to the sender. Available in Postfix version 2.1 and later: @@ -744,45 +741,46 @@ SMTPD(8) SMTPD(8) Available in Postfix version 2.10 and later: smtpd_log_access_permit_actions (empty) - Enable logging of the named "permit" actions in SMTP server - access lists (by default, the SMTP server logs "reject" actions + Enable logging of the named "permit" actions in SMTP server + access lists (by default, the SMTP server logs "reject" actions but not "permit" actions). KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS - As of Postfix version 2.0, the SMTP server rejects mail for unknown + As of Postfix version 2.0, the SMTP server rejects mail for unknown recipients. This prevents the mail queue from clogging up with undeliv- - erable MAILER-DAEMON messages. Additional information on this topic is + erable MAILER-DAEMON messages. Additional information on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README documents. show_user_unknown_table_name (yes) - Display the name of the recipient table in the "User unknown" + Display the name of the recipient table in the "User unknown" responses. canonical_maps (empty) - Optional address mapping lookup tables for message headers and + Optional address mapping lookup tables for message headers and envelopes. recipient_canonical_maps (empty) - Optional address mapping lookup tables for envelope and header + Optional address mapping lookup tables for envelope and header recipient addresses. sender_canonical_maps (empty) - Optional address mapping lookup tables for envelope and header + Optional address mapping lookup tables for envelope and header sender addresses. Parameters concerning known/unknown local recipients: mydestination ($myhostname, localhost.$mydomain, localhost) - The list of domains that are delivered via the $local_transport + The list of domains that are delivered via the $local_transport mail delivery transport. inet_interfaces (all) - The network interface addresses that this mail system receives - mail on. + The local network interface addresses that this mail system + receives mail on. proxy_interfaces (empty) - The network interface addresses that this mail system receives - mail on by way of a proxy or network address translation unit. + The remote network interface addresses that this mail system + receives mail on by way of a proxy or network address transla- + tion unit. inet_protocols (see 'postconf -d output') The Internet protocols Postfix will attempt to use when making @@ -818,13 +816,13 @@ SMTPD(8) SMTPD(8) domains: virtual_alias_domains ($virtual_alias_maps) - Postfix is final destination for the specified list of virtual - alias domains, that is, domains for which all addresses are + Postfix is the final destination for the specified list of vir- + tual alias domains, that is, domains for which all addresses are aliased to addresses in other local or remote domains. virtual_alias_maps ($virtual_maps) Optional lookup tables that alias specific mail addresses or - domains to other local or remote address. + domains to other local or remote addresses. unknown_virtual_alias_reject_code (550) The Postfix SMTP server reply code when a recipient address @@ -836,9 +834,9 @@ SMTPD(8) SMTPD(8) domains: virtual_mailbox_domains ($virtual_mailbox_maps) - Postfix is final destination for the specified list of domains; - mail is delivered via the $virtual_transport mail delivery - transport. + Postfix is the final destination for the specified list of + domains; mail is delivered via the $virtual_transport mail + delivery transport. virtual_mailbox_maps (empty) Optional lookup tables with all valid addresses in the domains diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 44b050327..b44faf86d 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -190,12 +190,9 @@ filtering, or address mapping. .PP Available in Postfix version 2.2 and later: .IP "\fBlocal_header_rewrite_clients (permit_inet_interfaces)\fR" -Rewrite message header addresses in mail from these clients and -update incomplete addresses with the domain name in $myorigin or -$mydomain; either don't rewrite message headers from other clients -at all, or rewrite message headers and update incomplete addresses -with the domain specified in the remote_header_rewrite_domain -parameter. +Rewrite or add message headers in mail from these clients, +updating incomplete addresses with the domain name in $myorigin or +$mydomain, and adding missing headers. .SH "BEFORE-SMTPD PROXY AGENT" .na .nf @@ -473,7 +470,7 @@ CommonName. With mandatory TLS encryption, require a trusted remote SMTP client certificate in order to allow TLS connections to proceed. .IP "\fBsmtpd_tls_wrappermode (no)\fR" -Run the Postfix SMTP server in the non\-standard "wrapper" mode, +Run the Postfix SMTP server in TLS "wrapper" mode, instead of using the STARTTLS command. .IP "\fBtls_daemon_random_bytes (32)\fR" The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) @@ -584,7 +581,7 @@ cipher list. Preliminary SMTPUTF8 support is introduced with Postfix 3.0. .IP "\fBsmtputf8_enable (yes)\fR" Enable preliminary SMTPUTF8 support for the protocols described -in RFC 6531..6533. +in RFC 6531, RFC 6532, and RFC 6533. .IP "\fBstrict_smtputf8 (no)\fR" Enable stricter enforcement of the SMTPUTF8 protocol. .IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR" @@ -694,10 +691,10 @@ Parameters concerning known/unknown local recipients: The list of domains that are delivered via the $local_transport mail delivery transport. .IP "\fBinet_interfaces (all)\fR" -The network interface addresses that this mail system receives +The local network interface addresses that this mail system receives mail on. .IP "\fBproxy_interfaces (empty)\fR" -The network interface addresses that this mail system receives mail +The remote network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. .IP "\fBinet_protocols (see 'postconf -d output')\fR" The Internet protocols Postfix will attempt to use when making @@ -726,12 +723,12 @@ a list of lookup tables that does not match the recipient address. Parameters concerning known/unknown recipients in virtual alias domains: .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR" -Postfix is final destination for the specified list of virtual +Postfix is the final destination for the specified list of virtual alias domains, that is, domains for which all addresses are aliased to addresses in other local or remote domains. .IP "\fBvirtual_alias_maps ($virtual_maps)\fR" Optional lookup tables that alias specific mail addresses or domains -to other local or remote address. +to other local or remote addresses. .IP "\fBunknown_virtual_alias_reject_code (550)\fR" The Postfix SMTP server reply code when a recipient address matches $virtual_alias_domains, and $virtual_alias_maps specifies a list @@ -740,7 +737,7 @@ of lookup tables that does not match the recipient address. Parameters concerning known/unknown recipients in virtual mailbox domains: .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR" -Postfix is final destination for the specified list of domains; +Postfix is the final destination for the specified list of domains; mail is delivered via the $virtual_transport mail delivery transport. .IP "\fBvirtual_mailbox_maps (empty)\fR" Optional lookup tables with all valid addresses in the domains that diff --git a/postfix/proto/MAILLOG_README.html b/postfix/proto/MAILLOG_README.html index 5591eb884..641310921 100644 --- a/postfix/proto/MAILLOG_README.html +++ b/postfix/proto/MAILLOG_README.html @@ -20,7 +20,7 @@ logging to file or stdoutPostfix supports it own logging system as an alternative to +
Postfix supports its own logging system as an alternative to syslog (which remains the default). This is available with Postfix version 3.4 or later.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index ec4268991..078d2374c 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20221023" +#define MAIL_RELEASE_DATE "20221207" #define MAIL_VERSION_NUMBER "3.8" #ifdef SNAPSHOT diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 4f59dcae0..21b57cb9b 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -172,12 +172,9 @@ /* .PP /* Available in Postfix version 2.2 and later: /* .IP "\fBlocal_header_rewrite_clients (permit_inet_interfaces)\fR" -/* Rewrite message header addresses in mail from these clients and -/* update incomplete addresses with the domain name in $myorigin or -/* $mydomain; either don't rewrite message headers from other clients -/* at all, or rewrite message headers and update incomplete addresses -/* with the domain specified in the remote_header_rewrite_domain -/* parameter. +/* Rewrite or add message headers in mail from these clients, +/* updating incomplete addresses with the domain name in $myorigin or +/* $mydomain, and adding missing headers. /* BEFORE-SMTPD PROXY AGENT /* .ad /* .fi @@ -439,7 +436,7 @@ /* With mandatory TLS encryption, require a trusted remote SMTP client /* certificate in order to allow TLS connections to proceed. /* .IP "\fBsmtpd_tls_wrappermode (no)\fR" -/* Run the Postfix SMTP server in the non-standard "wrapper" mode, +/* Run the Postfix SMTP server in TLS "wrapper" mode, /* instead of using the STARTTLS command. /* .IP "\fBtls_daemon_random_bytes (32)\fR" /* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) @@ -546,7 +543,7 @@ /* Preliminary SMTPUTF8 support is introduced with Postfix 3.0. /* .IP "\fBsmtputf8_enable (yes)\fR" /* Enable preliminary SMTPUTF8 support for the protocols described -/* in RFC 6531..6533. +/* in RFC 6531, RFC 6532, and RFC 6533. /* .IP "\fBstrict_smtputf8 (no)\fR" /* Enable stricter enforcement of the SMTPUTF8 protocol. /* .IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR" @@ -650,10 +647,10 @@ /* The list of domains that are delivered via the $local_transport /* mail delivery transport. /* .IP "\fBinet_interfaces (all)\fR" -/* The network interface addresses that this mail system receives +/* The local network interface addresses that this mail system receives /* mail on. /* .IP "\fBproxy_interfaces (empty)\fR" -/* The network interface addresses that this mail system receives mail +/* The remote network interface addresses that this mail system receives mail /* on by way of a proxy or network address translation unit. /* .IP "\fBinet_protocols (see 'postconf -d output')\fR" /* The Internet protocols Postfix will attempt to use when making @@ -682,12 +679,12 @@ /* Parameters concerning known/unknown recipients in virtual alias /* domains: /* .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR" -/* Postfix is final destination for the specified list of virtual +/* Postfix is the final destination for the specified list of virtual /* alias domains, that is, domains for which all addresses are aliased /* to addresses in other local or remote domains. /* .IP "\fBvirtual_alias_maps ($virtual_maps)\fR" /* Optional lookup tables that alias specific mail addresses or domains -/* to other local or remote address. +/* to other local or remote addresses. /* .IP "\fBunknown_virtual_alias_reject_code (550)\fR" /* The Postfix SMTP server reply code when a recipient address matches /* $virtual_alias_domains, and $virtual_alias_maps specifies a list @@ -696,7 +693,7 @@ /* Parameters concerning known/unknown recipients in virtual mailbox /* domains: /* .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR" -/* Postfix is final destination for the specified list of domains; +/* Postfix is the final destination for the specified list of domains; /* mail is delivered via the $virtual_transport mail delivery transport. /* .IP "\fBvirtual_mailbox_maps (empty)\fR" /* Optional lookup tables with all valid addresses in the domains that diff --git a/postfix/src/smtpd/smtpd_proxy.c b/postfix/src/smtpd/smtpd_proxy.c index b2e765b31..1c1f9fc49 100644 --- a/postfix/src/smtpd/smtpd_proxy.c +++ b/postfix/src/smtpd/smtpd_proxy.c @@ -388,7 +388,7 @@ static int smtpd_proxy_connect(SMTPD_STATE *state) */ server_xforward_features = 0; lines = STR(proxy->reply); - while ((words = mystrtok(&lines, "\n")) != 0) { + while ((words = mystrtok(&lines, "\r\n")) != 0) { if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t")) != 0) { if (strcasecmp(word, XFORWARD_CMD) == 0) while ((word = mystrtok(&words, " \t")) != 0) diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index 1e8d8f306..c0eff92c1 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -647,6 +647,7 @@ extern TLS_TLSA *tlsa_prepend(TLS_TLSA *, uint8_t, uint8_t, uint8_t, /* * tls_fprint.c */ +extern const EVP_MD *tls_digest_byname(const char *, EVP_MD_CTX **); extern char *tls_digest_encode(const unsigned char *, int); extern char *tls_cert_fprint(X509 *, const char *); extern char *tls_pkey_fprint(X509 *, const char *); diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index b6065649b..5a99a6ace 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -324,6 +324,7 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert, * checks are now performed internally in OpenSSL. */ if (SSL_get_verify_result(TLScontext->con) == X509_V_OK) { + TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED; if (TLScontext->must_fail) { msg_panic("%s: cert valid despite trust init failure", TLScontext->namaddr); @@ -352,8 +353,7 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert, TLScontext->namaddr, peername); tls_dane_log(TLScontext); } - } else - TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED; + } } /* diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c index 752bb5b1c..a2b9b80d3 100644 --- a/postfix/src/tls/tls_dane.c +++ b/postfix/src/tls/tls_dane.c @@ -823,7 +823,7 @@ int tls_dane_enable(TLS_SESS_STATE *TLScontext) /* tls_dane_digest_init - configure supported DANE digests */ -void tls_dane_digest_init(SSL_CTX *ctx, const EVP_MD * fpt_alg) +void tls_dane_digest_init(SSL_CTX *ctx, const EVP_MD *fpt_alg) { dane_mtype mtypes[256]; char *cp; @@ -930,7 +930,7 @@ void tls_dane_digest_init(SSL_CTX *ctx, const EVP_MD * fpt_alg) } mtypes[codepoint].ord = ++ord; - if ((mtypes[codepoint].alg = EVP_get_digestbyname(algname)) == 0) { + if ((mtypes[codepoint].alg = tls_digest_byname(algname, NULL)) == 0) { msg_warn("%s: digest algorithm \"%s\"(%d) unknown", VAR_TLS_DANE_DIGESTS, algname, codepoint); continue; @@ -1132,11 +1132,11 @@ static void load_tlsa_args(SSL *ssl, char *argv[]) case 0: break; case 1: - if ((md = EVP_get_digestbyname(LN_sha256)) == 0) + if ((md = tls_digest_byname(LN_sha256, NULL)) == 0) msg_fatal("Digest %s not found", LN_sha256); break; case 2: - if ((md = EVP_get_digestbyname(LN_sha512)) == 0) + if ((md = tls_digest_byname(LN_sha512, NULL)) == 0) msg_fatal("Digest %s not found", LN_sha512); break; default: diff --git a/postfix/src/tls/tls_fprint.c b/postfix/src/tls/tls_fprint.c index 4f2f015b5..c9f32e716 100644 --- a/postfix/src/tls/tls_fprint.c +++ b/postfix/src/tls/tls_fprint.c @@ -6,6 +6,10 @@ /* SYNOPSIS /* #include